[Full-disclosure] Portable shell-exploit for buffer-overflow bugs

Hello str0ke,

I reviewed the exploits listed. Yes, all of them use the shell but they
exploit trivially shell-exploitable bugs (like race conditions, ld-preload,
etc) or include other "external" programs (like cc, perl, etc) or assume
Linux/bash as well as other more or less recent environments.

The nearest exploit to what I was looking for (buffer overflow exploit in
shell-scripting) is:
http://milw0rm.com/exploits/18

But it lacks compatibility. For instance, "echo" command is very variable,
depending on OS/Shell version. I've uploaded a proof of concept which I
wrote some time ago, showing my approach, to:
http://www.rs-labs.com/exploitsntools/rs_aix_host.sh
(~6 KB)

It may not be perfect but my goal was to make it work in a very old minimal
Unix environment (the exploit yields local root on AIX 4.1.4.0, abusing a
known and ancient bug: ~ 10 years old!) and at the same time compatible
with some recent systems like Linux/bash (logically, the vulnerability is
not present in such systems, I'm referring to the skel of the exploit).

Feedback would be appreciated.

PS: I'm cc'ing some lists where this post could suit. Moderators should decide.

Cheers,
-Roman


str0ke escribió:
> How goes it Roman,
>
> > Which other "curious" exploits in shell do you know of?
>
> Attached is a list of the known exploits that are in shell, some call
> other languages some don't.
>
> Be safe,
> /str0ke
>
>
> ------------------------------------------------------------------------
>
> date          exploit title                                                   
>                 exploit                                 author                
>   platform
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 2003-04-23    Snort <=1.9.1 Remote Root Exploit (p7snort191.sh)               
>                 http://milw0rm.com/exploits/18          truff                 
>   linux
> 2003-05-02    OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh)            
>                 http://milw0rm.com/exploits/26          Nicolas Couture       
>   linux
> 2003-07-22    Cisco IOS (using hping) Remote Denial of Service Exploit        
>                 http://milw0rm.com/exploits/62          zerash                
>   hardware
> 2004-01-25    MS Windows XP/2003 Samba Share Resource Exhaustion Exploit      
>                 http://milw0rm.com/exploits/148         Steve Ladjabi         
>   windows
> 2000-11-16    /sbin/restore exploit (rh6.2)                                   
>                 http://milw0rm.com/exploits/182         n/a                   
>   linux
> 2000-11-17    Slackware Linux /usr/bin/ppp-off Insecure /tmp Call Exploit     
>                 http://milw0rm.com/exploits/185         sinfony               
>   linux
> 2000-11-19    dump 0.4b15 Local Root Exploit                                  
>                 http://milw0rm.com/exploits/193         Mat                   
>   linux
> 2000-11-19    HP-UX 11.00/10.20 crontab Overwrite Files Exploit               
>                 http://milw0rm.com/exploits/195         dubhe                 
>   hp-ux
> 2000-11-21    vixie-cron Local Root Exploit                                   
>                 http://milw0rm.com/exploits/203         Michal Zalewski       
>   linux
> 2000-12-15    Pine (Local Message Grabber) Exploit                            
>                 http://milw0rm.com/exploits/231         Mat                   
>   linux
> 2001-01-02    Redhat 6.1 / 6.2 TTY Flood Users Exploit                        
>                 http://milw0rm.com/exploits/236         teleh0r               
>   linux
> 2001-01-03    Solaris 2.6 / 7 / 8 Lock Users Out of mailx Exploit             
>                 http://milw0rm.com/exploits/240         optyx                 
>   solaris
> 2001-01-25    glibc-2.2 and openssh-2.3.0p1 exploits glibc >= 2.1.9x          
>                 http://milw0rm.com/exploits/258         krochos               
>   linux
> 2001-05-07    IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/bin/lpstat Local Exploit 
>                 http://milw0rm.com/exploits/265         LSD-PLaNET            
>   irix
> 2001-05-08    IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local 
> Exploit         http://milw0rm.com/exploits/270         LSD-PLaNET            
>   irix
> 2001-03-04    GLIBC 2.1.3 ld_preload Local Exploit                            
>                 http://milw0rm.com/exploits/290         shadow                
>   linux
> 1997-05-03    Solaris 2.5.1 lp and lpsched Symlink Vulnerabilities            
>                 http://milw0rm.com/exploits/330         Chris Sheldon         
>   solaris
> 1997-05-19    Solaris 2.5.0/2.5.1 ps & chkey Data Buffer Exploit              
>                 http://milw0rm.com/exploits/332         Joe Zbiciak           
>   solaris
> 2004-07-22    Xitami Web Server Denial of Service Exploit                     
>                 http://milw0rm.com/exploits/362         CoolICE               
>   windows
> 2004-09-07    CDRDAO Local Root Exploit                                       
>                 http://milw0rm.com/exploits/434         Karol Wiêsek          
>   linux
> 2004-09-22    MS Windows JPEG Processing Buffer Overrun Exploit (MS04-028)    
>                 http://milw0rm.com/exploits/474         perplexy              
>   windows
> 2004-09-23    MS Windows JPEG GDI+ Overflow Administrator Exploit (MS04-028)  
>                 http://milw0rm.com/exploits/475         Elia Florio           
>   windows
> 2004-09-28    Serendipity 0.7-beta1 SQL Injection Proof of Concept            
>                 http://milw0rm.com/exploits/561         aCiDBiTS              
>   php
> 2004-10-16    BSD bmon <= 1.2.1_2 Local Exploit                               
>                 http://milw0rm.com/exploits/579         Idan Nahoum           
>   bsd
> 2004-12-21    AIX 5.1 to 5.3 lsmcode Local Root Command Execution             
>                 http://milw0rm.com/exploits/701         cees-bart             
>   aix
> 2005-01-30    Linux ncpfs Local Exploit                                       
>                 http://milw0rm.com/exploits/779         super                 
>   linux
> 2005-02-07    Exim <= 4.42 Local Root Exploit                                 
>                 http://milw0rm.com/exploits/796         Dark Eagle            
>   linux
> 2005-03-25    AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability   
>                 http://milw0rm.com/exploits/898         ri0t                  
>   aix
> 2005-04-07    PHP-Nuke 6.x - 7.6 Top module Remote Sql Injection Exploit      
>                 http://milw0rm.com/exploits/921         Fabrizi Andrea        
>   php
> 2005-05-17    Linux Mandrake <= 10.2 cdrdao Local Root Exploit                
>                 http://milw0rm.com/exploits/997         newbug                
>   linux
> 2005-08-05    Lantronix Secure Console Server (edituser) Local Root Exploit   
>                 http://milw0rm.com/exploits/1136        c0ntex                
>   linux
> 2005-09-24    Qpopper <= 4.0.8 (poppassd) Local Root Exploit (linux)          
>                 http://milw0rm.com/exploits/1229        kcope                 
>   linux
> 2005-09-24    Qpopper <= 4.0.8 (poppassd) Local Root Exploit (freebsd)        
>                 http://milw0rm.com/exploits/1230        kcope                 
>   bsd
> 2005-11-08    SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation 
> Exploit            http://milw0rm.com/exploits/1299        Hunger             
>      linux
> 2005-11-09    Operator Shell (osh) 1.7-14 Local Root Exploit                  
>                 http://milw0rm.com/exploits/1300        Charles Stevenson     
>   linux
> 2006-02-08    QNX Neutrino 6.2.1 (phfont) Race Condition Local Root Exploit   
>                 http://milw0rm.com/exploits/1479        kokanin               
>   QNX
> 2006-02-08    QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash 
> Exploit          http://milw0rm.com/exploits/1481        kokanin              
>    QNX
> 2005-10-10    SGI IRIX <= 6.5.28 (runpriv) Design Error Vulnerability         
>                 http://milw0rm.com/exploits/1577        n/a                   
>   irix
> 2006-07-14    Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit 
> (4)              http://milw0rm.com/exploits/2011        Sunay                
>    linux
> 2006-07-15    Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit           
>                 http://milw0rm.com/exploits/2016        Xavier de Leon        
>   linux
> 2006-07-21    MS Internet Explorer (MDAC) Remote Code Execution Exploit 
> (MS06-014)            http://milw0rm.com/exploits/2052        redsand         
>         windows
> 2006-08-01    Mac OS X <= 10.4.7 fetchmail Privilege Escalation Exploit       
>                 http://milw0rm.com/exploits/2108        Kevin Finisterre      
>   osX
> 2006-08-08    liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root Exploit    
>                 http://milw0rm.com/exploits/2144        Karol Wiesek          
>   linux
> 2006-08-21    Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow 
> PoC                http://milw0rm.com/exploits/2237        Jacobo Avariento   
>      multiple
> 2006-08-22    Solaris 8 / 9 (/usr/ucb/ps) Local Information Leak Exploit      
>                 http://milw0rm.com/exploits/2242        Marco Ivaldi          
>   solaris
> 2006-09-27    OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service 
> Exploit           http://milw0rm.com/exploits/2444        Tavis Ormandy       
>     multiple

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/