Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Remote Buffer Oveflows

  1. #1

    Remote Buffer Oveflows

    Hey,

    I have a simple question. How does the shell (cmd.exe) get bound to a port (ie. how does stdin/stdout get routed through a TCP ip connection).

    I guess another way of asking this is how netcat is able to execute cmd.exe and bind it to a port, i dont understand how calling cmd from an app that uses sockets makes cmd take commands from sockets and whatnot.

    I have read the sourcecode to netcat, but i'm quite overwhelmed it's really messy.

    Any help would be great,
    Thanks

    EDIT:

    I'm talking about WinNT - Win2K - Win XP - Win2k3
    (not linux/unix)

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Not that I know anything about netcat, but tedbob1 did a series of tuts that may help.

    http://www.antionline.com/showthread...hreadid=231562

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    messy it may be but still very effective. its no different than telnet. in the telnet configuration you tell it to run cmd.exe, far, midnight commander whatever, after a shell is established. not so elequently in netcat you do it with the -e flag (-ecmd.exe -efar.exe etc). really whats the differance if your directing output stright to your monitor or to a socket? its all ones and zeros untill it gets where its going so too speak.

    i just found myself clicking on "buffer overflows" and found myself here again. so i guess your asking how does a buffer overflow get netcat to do this. well the buffer overflow does not contain nc (netcat) nor usually does the computer thats attacted. buffer overflows are very limited in size so one might open a shell that takes comands and with that use tftp to download larger files and run them or the exploit code might just issue the commands to tftp nc and run it with argumants depending on how much space the overflow provides. usually the shell thats created in this way is a 'reverse' shell that is the attacker needs to have two instances of nc running on her/his machine one sending commands and the other listening for responses. nc is not needed on the remote machine its just easier for the attacker to do so
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Originally posted here by Tedob1
    messy it may be but still very effective. its no different than telnet. in the telnet configuration you tell it to run cmd.exe, far, midnight commander whatever, after a shell is established. not so elequently in netcat you do it with the -e flag (-ecmd.exe -efar.exe etc). really whats the differance if your directing output stright to your monitor or to a socket? its all ones and zeros untill it gets where its going so too speak.

    i just found myself clicking on "buffer overflows" and found myself here again. so i guess your asking how does a buffer overflow get netcat to do this. well the buffer overflow does not contain nc (netcat) nor usually does the computer thats attacted. buffer overflows are very limited in size so one might open a shell that takes comands and with that use tftp to download larger files and run them or the exploit code might just issue the commands to tftp nc and run it with argumants depending on how much space the overflow provides. usually the shell thats created in this way is a 'reverse' shell that is the attacker needs to have two instances of nc running on her/his machine one sending commands and the other listening for responses. nc is not needed on the remote machine its just easier for the attacker to do so
    Right,

    as you said, its just about routeing the 1's and 0's from the shell to the socket and i know this. my original question was, how. How does one do this?

    Thanks

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    in that case you got the answer twice. one look in the tuts and the other with -e
    but here it is again
    nc -L -p<port> -ecmd.exe

    to connect to it:
    nv -vv <ipadress> <sameport>

    if your asking how to do a buffer overflow...boy are you in the wrong place!

    phrack has an article on 'smashing the stack' you'll have to search for the issue

    and NewOrder has a good article on it as well

    just do us all a favor and don't ask here. just my opinion but i think you might get negged off the site. i could be wrong.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    My C/C++ Book has a note that might pertain...

    "Remember that redirecting and piping stdin and stdout are features of the operating system and not of the C language itself. However, it does provide another example of the flexibility of streams."

    With that, my best guess is that some call to the OS is made. I never looked at the NC src myself, but is there any system calls anywhere? If so, is there a pipe-symbol? (|) If so it is probably done there. The example in my book shows something to the extent that using piping, the program can get its output redirected to another program, such as CMD. So something like "CMD | NC -options" might be done and as NC outputs its data the OS will redirect it into CMD...? Am I making sense? It is just my guess though, since I haven't acturally looked at the sources... I'm lazy at that sort of thing :P.

  7. #7
    no,

    i'm not asking for how to use netcat, and no i'm not asking about how to do a buffer overflow.

    what do you think i am, a script kiddie with a vendetta with my dad or something. Perhaps i'm phrasing this wrong, but i thought i stated this question really well.

    How does the shell (cmd.exe) get bound to a port (ie. how does stdin/stdout get routed through a TCP ip connection).
    This was the original question. I was asking how to route StdIn/StdOut, not how to use netcat.


    If you read my post farther you find:

    I guess another way of asking this is how netcat is able to execute cmd.exe and bind it to a port, i dont understand how calling cmd from an app that uses sockets makes cmd take commands from sockets and whatnot.

    "How is netcat able" is the key portion of that question.

    Does anyone have anyother information to offer?
    Thanks

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Search the Phrack archives. They have some articles on creating shellcode (which is what you really are after).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    "what do you think i am, a script kiddie with a vendetta"

    no offense meant but i dont know you and your questions have been vague so i tried to answer any possibility. i investigate/try out every exploit i find trying to understand it. play with the code etc. try it on different machines an so on....im not out to 'get' anybody so i wasn't assuming that of you. but some around here do so i thought id warn ya
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #10
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    stin,stdout, and stderr are just special file descriptors
    you can close, open, reopen,... these file descriptors just as you would any other

    your question is a little confusing but I think what your referrring to is called "interprocess communication" , where the stdout,stderr of one process is usually redirected back to the stdin of the calling process
    you shoud read the man page on popen


    heres a little snippet I wrote for interproccess communication where the parent will read up to 32768 characters before closing the pipe and terminating the child process

    child_stream = popen(command,"r");
    if(child_stream == NULL)
    return -1;
    y=0;
    while((c=fgetc(child_stream))!=EOF)
    {
    read_buf[y]=c;
    y++;
    if(y>32767)
    break;
    }
    status = pclose(child_stream);
    That which does not kill me makes me stronger -- Friedrich Nietzche

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •