Remote Buffer Oveflows - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Remote Buffer Oveflows

  1. #11
    intresting:

    so, would this psuedo code work...

    Code:
    SOCKET s;
    char *buffer = new char[32768];
    
    system("cmd.exe");
    
    while(1)
    {
            ret = recv(s,buffer,strlen(buffer));
            write(handle_to_cmd,buffer,strlen(buffer));
    
    }
    how would you take stdout and reroute to socket? Woud you just:
    Code:
    read(handle_to_command,buffer,strlen(buffer));
    send(s,buffer,strlen(buffer));
    S3cur|ty4ng31:
    in your code, what type of var is command, how is it defined and assigned. Thanks for the code


    Thanks

  2. #12
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    To answer your question it is done through calls to the operating system (usually through BSD style sockets know as Berkeley Sockets Interface) by creating a socket() and then using bind() to bind a name to the socket which can then be used as an endpoint for communication which the shell uses for input and output.

    I reccomend reading the following *nix man entries or the finding the winsock equivalent(for Windows socket programming):

    connect(2), listen(2), socket(2), getsockname(2), accept(2), bind(2), connect(2), getprotoent(3), getsockname(2), getsockopt(2), ioctl(2), listen(2), read(2), recv(2), select(2), send(2),
    shutdown(2), socketpair(2), write(2)


    -Maestr0


    Edit: I see your question has already been answered, I was a bit late.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #13
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    command is a char array that has the full path of the binary you wish to run

    this is *nix code though and you keep talking about cmd.exe so does this mean yout trying to create a program on windoze?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #14
    yes,

    said isn't it...

    Maestr0: Ya, I'm quite fimilar with winsock programming, however, how would you pass the shell to the bind function? and then i'm assuming that you would have two sockets, one to the shell and one to the target.

    ie.
    Code:
    SOCKET listeningSocket;
    SOCKET shell;
    SOCKET target;
    char cmd[] = "C:\\WINNT\SYSTEM32\\cmd.exe";
    char *command = new char[32768];
    target = accept(listeningSocket,10);
    
    popen(cmd,"rw");
    ret = bind(shell,<????>,sizeof(socketaddr_in));
    while(ret != 0 || ret != SOCKET_ERROR)
    {
         ret = recv(target,command,strlen(command));
         send(shell,command,strlen(command));
         recv(shell,command,strlen(command));
         send(target,command,strlen(command));
    }
    
    pclose(cmd); //i know this is wrong, i'm not used to this function
    closesocket(target);
    closesocket(shell);
    closesocket(listeningSocket);
    something like that?

    EDIT:
    added close statment's
    also, yes this is for windows (preferably XP Home/Pro, but win 2k is fine)

  5. #15
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    those commad I gave you are for a *nix system.
    Ok lets start at the begining again.
    Bascially you want a program that listens on a port and executes the commands that are passed to it?Is that correct?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  6. #16
    yes,

    that is correct.

  7. #17
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    here is the code youll need for windows then ..

    it takes a command and a char array pointer for the data returned, it current only get 1024 chars back but you can change that to whatever you want


    DWORD ExecuteAndWaitForCompletion ( LPCTSTR pszCmd, char *temp_data)
    {
    BOOL bRes;
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
    SECURITY_DESCRIPTOR sd;


    HANDLE newstdout,read_stdout; //pipe handles
    char buf[1024];
    unsigned long exit=0; //process exit code
    unsigned long bread; //bytes read
    unsigned long avail;
    unsigned start_time;


    strncpy(temp_data,"",1);
    ZeroMemory ( &si, sizeof ( STARTUPINFO));

    si.cb = sizeof ( STARTUPINFO);
    si.dwFlags = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;

    if (IsWinNT()) //initialize security descriptor (Windows NT)
    {
    InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPTOR_REVISION);
    SetSecurityDescriptorDacl(&sd, true, NULL, false);
    sa.lpSecurityDescriptor = &sd;
    }
    else sa.lpSecurityDescriptor = NULL;
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.bInheritHandle = true; //allow inheritable handles


    si.dwFlags = STARTF_USESTDHANDLES;
    if (!CreatePipe(&read_stdout,&newstdout,&sa,0)) //create stdout pipe
    {
    ErrorMessage("CreatePipe");
    getch();
    return -1;
    }
    GetStartupInfo(&si); //set startupinfo for the spawned process
    si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    si.hStdOutput = newstdout;
    si.hStdError = newstdout; //set the new handles for the child process




    bRes = CreateProcess ( NULL,(char*)pszCmd,NULL,NULL,TRUE,

    NORMAL_PRIORITY_CLASS, NULL/*GetEnvironmentStrings()*/,
    NULL, &si,&pi);
    if(!bRes)
    {
    _snprintf(temp_data,128,"Process Failed : %s",GetLastError());
    return -1;
    }
    Sleep(3000);

    bzero(buf);
    start_time = time(NULL);
    for(; //main program loop
    {
    if((time(NULL) - start_time )> 45)
    {
    strcpy(temp_data,"NO MEMORY\nPlugin failed to finish in allotted amount of time\n");
    TerminateProcess(bRes,-1);
    break;
    }


    PeekNamedPipe(read_stdout,NULL,NULL,NULL,&avail,NULL);
    //check to see if there is any data to read from stdout
    if (avail!= 0)
    {
    bzero(buf);
    if (avail > 1023)
    {
    while (bread >= 1023)
    {
    ReadFile(read_stdout,buf,1023,&bread,NULL);
    strcat(temp_data,buf);
    bzero(buf);
    }
    }
    else
    {
    ReadFile(read_stdout,buf,1023,&bread,NULL);
    strcat(temp_data,buf);
    }

    }

    GetExitCodeProcess(pi.hProcess,&exit); //while the process is running

    if (exit != STILL_ACTIVE)
    {
    PeekNamedPipe(read_stdout,NULL,NULL,NULL,&avail,NULL);
    //check to see if there is any data to read from stdout
    if (avail!= 0)
    {
    bzero(buf);
    if (avail > 1023)
    {
    while (bread >= 1023)
    {
    ReadFile(read_stdout,buf,1023,&bread,NULL);
    strcat(temp_data,buf);
    bzero(buf);
    }
    }
    else
    {
    ReadFile(read_stdout,buf,1023,&bread,NULL);
    strcat(temp_data,buf);
    }

    }
    break;
    }
    Sleep(500);
    }
    //cleanup
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
    CloseHandle(newstdout);
    CloseHandle(read_stdout);

    return ( exit);
    That which does not kill me makes me stronger -- Friedrich Nietzche

  8. #18
    Thanks,

    Thats great =)

  9. #19
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Id like to get a copy or your program if possible. I spent a lot of time fixing that windows execution code and it would be nice to see it used in other programs
    That which does not kill me makes me stronger -- Friedrich Nietzche

  10. #20
    thanks,

    yes, thats what i wanted to do, interprocess communication. I'll look more into applications of pipes.

    Thanks for the src =)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •