With Shellcode, you can attack, but there are loopholes, real-world vulnerabilities are complex and difficult to find, so I specialize in a loophole to attack.
Specifically, it is a simple TCP server that contains an obvious stack overflow vulnerability.
Specific as follows:
1 /*server.c*/2#include <stdio.h>3#include <stdlib.h>4#include <errno.h>5#include <string.h>6#include <sys/types.h>7#include <netinet/inch.h>8#include <sys/socket.h>9#include <sys/wait.h>Ten#include <arpa/inet.h> One voidShowclientinf (structsockaddr_in client_addr) { Aprintf"\nthe IP of client is:%s", Inet_ntoa (CLIENT_ADDR.SIN_ADDR)); -printf"\nthe Port of client is:%d\n", Ntohs (Client_addr.sin_port)); - } theUnsignedLongGET_SP (void) - { -__ASM__ ("MOVL%esp,%eax"); - } + voidtestf () - { +printf"ttttt\n"); A } at - - voidRecvastring (intnew_fd) - { -UnsignedCharbuff[ -]; - intI=0; inprintf"sp=0x%x,addr=0x%x bytes.\n", get_sp (),&buff); - intNumBytes = recv (New_fd,buff,1024x768,0); to if(numbytes==-1) + { -Perror ("recv"); theExit9); * } $ }Panax Notoginseng intMain () { - intsockfd,new_fd; the structsockaddr_in my_addr; + structsockaddr_in their_addr; A intflag=1, len=sizeof(int); the intsin_size; + Charbuff[ -]; - intnumbytes; $printf"socket\n"); $ if(SOCKFD = socket (Af_inet,sock_stream,0))==-1) { -Perror ("Socket"); -Exit1); the } -my_addr.sin_family =af_inet;WuyiMy_addr.sin_port = htons (7777); theMY_ADDR.SIN_ADDR.S_ADDR =Inaddr_any; -Bzero (& (My_addr.sin_zero),8); Wuprintf"bind\n"); - if(SetSockOpt (SOCKFD, Sol_socket, SO_REUSEADDR, &flag, Len) ==-1) About { $Perror ("setsockopt"); -Exit1); - } - if(Bind (SOCKFD, (structSOCKADDR *) &my_addr,sizeof(structSOCKADDR)) ==-1) A { +Perror ("Bind"); theExit1); - } $printf"listen\n"); the if(Listen (SOCKFD,Ten)==-1) { thePerror ("Listen"); theExit1); the } -printf"Server is run...\n"); in while(1) { theSin_size =sizeof(structsockaddr_in); theprintf"accept\n"); About if(new_fd = Accept (SOCKFD, (structSOCKADDR *) the&their_addr,&sin_size)) ==-1) the { thePerror ("Accept"); +Exit1); - } the Showclientinf (their_addr);Bayi if(!Fork ()) { theprintf"recv\n"); the recvastring (NEW_FD); -printf"close-new_fd 1\n"); - Close (NEW_FD); theExit0); the } theprintf"close-new_fd 2\n"); the Close (NEW_FD); - } theprintf"close-sockfd\n"); the Close (SOCKFD); the}
This core is the recvastring function we are concerned with, which contains an obvious stack overflow vulnerability. We look specifically at:
1 voidRecvastring (intnew_fd)2 {3UnsignedCharbuff[ -];4 intI=0;5printf"sp=0x%x,addr=0x%x bytes.\n", get_sp (),&buff);6 intNumBytes = recv (New_fd,buff,1024x768,0);7 if(numbytes==-1)8 {9Perror ("recv");TenExit9); One } A}
Same compile Build:
gcc -fno-stack-protector-z execstack-g-o server Socketserver.c[email protected]:/mnt/hgfs/r/stack $./Serversocketbindlistenserver is run...accept
Overflow attack using Metasploit stacks-3