Tinyweb: Going Remote

Nov 08, 2008
·
exploit
linux

Exploiting is fun, well it is for my at least (Who would have thought huh?). Everytime the execution flow goes wherever I wanted to go I'm a happy guy. This is the case when exploitation happens in the same machine I'm using but can be even more flattering if you make your move over the net. As one underground hacker once told me, "remote? yes, thats were the money is". Not that I intend to make big bucks with this thing but anyway, for some time now I wanted to go remote for once; Metasploit is nice, but there's nothing like self crafting right? :-) Introductions apart, today I'll cover a remote exploit for a example featured in Jon Erickson's masterpiece The Art of Exploitation. This particular case consists of a simple web server that handles HTTP request and listens in the standard 80 port. You can get the source code from the site in the link above, I hope they don't get mad at me for this. As always whenever we have access to the source code, let's take a review to the vulnerable section:

int recv_line(int sockfd, unsigned char *dest_buffer) {
#define EOL "\r\n" // End-Of-Line byte sequence
#define EOL_SIZE 2
   unsigned char *ptr;
   int eol_matched = 0;

   ptr = dest_buffer;
   while(recv(sockfd, ptr, 1, 0) == 1) { // read a single byte
      if(*ptr == EOL[eol_matched]) { // does this byte match terminator
         eol_matched++;
         if(eol_matched == EOL_SIZE) { // if all bytes match terminator,
            *(ptr+1-EOL_SIZE) = '\0'; // terminate the string
            return strlen(dest_buffer); // return bytes recevied
         }
      } else {
         eol_matched = 0;
      }
      ptr++; // increment the pointer to the next byter;
   }
   return 0; // didn't find the end of line characters
}As you can see,

recv_line() in the hacking-network.h header file takes care of receiving packets across the socket but fails in limiting the size of the data received to fit properly inside the dest_buffer, which is allocated in the stack by the caller. The exploit is trivial from now on, all we need to do is build a evil buffer that will include a nop sled, the shellcode and the return address to be substituted. In this particular case we have 540 from the beginning of the buffer up to the return address and since this is supposed to be a HTTP packet, we will avoid depending on the first 100~ bytes of the buffer just in case the server makes operations in the packet headers. In my particular exploit, I used the first 250 bytes as nop sled, then the shellcode (a basic one that just pops a shell in the server as PoC), and then NOP's as junk to make the return address get where he needs. Remember to avoid using the very beginning of our buffer as return address landing because it might be clobbered by http header handling. Personally I suggest using core dumps to get a good grasp of the memory layout and choose a proper landing address (Remember to set "ulimit -c unlimited" to get core dumps).You can get my code from here. This is how the server looked after successful exploitation:

kaka:/home/infi/tinyweb # ./tinyweb
Accepting web requests on port 80
Got request from 192.168.44.1:47142 "1À1Û1É°€Íj
                                               XQh//shh/binãQâSáÍ ñÿ¿"
 NOT HTTP!
sh-2.05b#

Tinyweb: Going Remote

« Windows Exploitation - Beating the German

« Windows Exploitme: The Girl

« Advanced Buffer Overflows - Ultimatum

Reviewing Netopia SW DCS 5.1.2 »

Autumn-Winter Break »

VUPlayer 2.49 Playlist Parsing Buffer Overflow »