-
February 12th, 2004, 03:34 AM
#1
Member
Remote Buffer Oveflows
Hey,
I have a simple question. How does the shell (cmd.exe) get bound to a port (ie. how does stdin/stdout get routed through a TCP ip connection).
I guess another way of asking this is how netcat is able to execute cmd.exe and bind it to a port, i dont understand how calling cmd from an app that uses sockets makes cmd take commands from sockets and whatnot.
I have read the sourcecode to netcat, but i'm quite overwhelmed it's really messy.
Any help would be great,
Thanks
EDIT:
I'm talking about WinNT - Win2K - Win XP - Win2k3
(not linux/unix)
-
February 12th, 2004, 03:44 AM
#2
Not that I know anything about netcat, but tedbob1 did a series of tuts that may help.
http://www.antionline.com/showthread...hreadid=231562
-
February 12th, 2004, 04:04 AM
#3
messy it may be but still very effective. its no different than telnet. in the telnet configuration you tell it to run cmd.exe, far, midnight commander whatever, after a shell is established. not so elequently in netcat you do it with the -e flag (-ecmd.exe -efar.exe etc). really whats the differance if your directing output stright to your monitor or to a socket? its all ones and zeros untill it gets where its going so too speak.
i just found myself clicking on "buffer overflows" and found myself here again. so i guess your asking how does a buffer overflow get netcat to do this. well the buffer overflow does not contain nc (netcat) nor usually does the computer thats attacted. buffer overflows are very limited in size so one might open a shell that takes comands and with that use tftp to download larger files and run them or the exploit code might just issue the commands to tftp nc and run it with argumants depending on how much space the overflow provides. usually the shell thats created in this way is a 'reverse' shell that is the attacker needs to have two instances of nc running on her/his machine one sending commands and the other listening for responses. nc is not needed on the remote machine its just easier for the attacker to do so
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 12th, 2004, 05:22 AM
#4
Member
Originally posted here by Tedob1
messy it may be but still very effective. its no different than telnet. in the telnet configuration you tell it to run cmd.exe, far, midnight commander whatever, after a shell is established. not so elequently in netcat you do it with the -e flag (-ecmd.exe -efar.exe etc). really whats the differance if your directing output stright to your monitor or to a socket? its all ones and zeros untill it gets where its going so too speak.
i just found myself clicking on "buffer overflows" and found myself here again. so i guess your asking how does a buffer overflow get netcat to do this. well the buffer overflow does not contain nc (netcat) nor usually does the computer thats attacted. buffer overflows are very limited in size so one might open a shell that takes comands and with that use tftp to download larger files and run them or the exploit code might just issue the commands to tftp nc and run it with argumants depending on how much space the overflow provides. usually the shell thats created in this way is a 'reverse' shell that is the attacker needs to have two instances of nc running on her/his machine one sending commands and the other listening for responses. nc is not needed on the remote machine its just easier for the attacker to do so
Right,
as you said, its just about routeing the 1's and 0's from the shell to the socket and i know this. my original question was, how. How does one do this?
Thanks
-
February 12th, 2004, 05:52 AM
#5
in that case you got the answer twice. one look in the tuts and the other with -e
but here it is again
nc -L -p<port> -ecmd.exe
to connect to it:
nv -vv <ipadress> <sameport>
if your asking how to do a buffer overflow...boy are you in the wrong place!
phrack has an article on 'smashing the stack' you'll have to search for the issue
and NewOrder has a good article on it as well
just do us all a favor and don't ask here. just my opinion but i think you might get negged off the site. i could be wrong.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 12th, 2004, 06:00 AM
#6
My C/C++ Book has a note that might pertain...
"Remember that redirecting and piping stdin and stdout are features of the operating system and not of the C language itself. However, it does provide another example of the flexibility of streams."
With that, my best guess is that some call to the OS is made. I never looked at the NC src myself, but is there any system calls anywhere? If so, is there a pipe-symbol? (|) If so it is probably done there. The example in my book shows something to the extent that using piping, the program can get its output redirected to another program, such as CMD. So something like "CMD | NC -options" might be done and as NC outputs its data the OS will redirect it into CMD...? Am I making sense? It is just my guess though, since I haven't acturally looked at the sources... I'm lazy at that sort of thing :P.
-
February 12th, 2004, 03:10 PM
#7
Member
no,
i'm not asking for how to use netcat, and no i'm not asking about how to do a buffer overflow.
what do you think i am, a script kiddie with a vendetta with my dad or something. Perhaps i'm phrasing this wrong, but i thought i stated this question really well.
How does the shell (cmd.exe) get bound to a port (ie. how does stdin/stdout get routed through a TCP ip connection).
This was the original question. I was asking how to route StdIn/StdOut, not how to use netcat.
If you read my post farther you find:
I guess another way of asking this is how netcat is able to execute cmd.exe and bind it to a port, i dont understand how calling cmd from an app that uses sockets makes cmd take commands from sockets and whatnot.
"How is netcat able" is the key portion of that question.
Does anyone have anyother information to offer?
Thanks
-
February 12th, 2004, 04:44 PM
#8
Search the Phrack archives. They have some articles on creating shellcode (which is what you really are after).
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 12th, 2004, 05:12 PM
#9
"what do you think i am, a script kiddie with a vendetta"
no offense meant but i dont know you and your questions have been vague so i tried to answer any possibility. i investigate/try out every exploit i find trying to understand it. play with the code etc. try it on different machines an so on....im not out to 'get' anybody so i wasn't assuming that of you. but some around here do so i thought id warn ya
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 12th, 2004, 05:29 PM
#10
stin,stdout, and stderr are just special file descriptors
you can close, open, reopen,... these file descriptors just as you would any other
your question is a little confusing but I think what your referrring to is called "interprocess communication" , where the stdout,stderr of one process is usually redirected back to the stdin of the calling process
you shoud read the man page on popen
heres a little snippet I wrote for interproccess communication where the parent will read up to 32768 characters before closing the pipe and terminating the child process
child_stream = popen(command,"r");
if(child_stream == NULL)
return -1;
y=0;
while((c=fgetc(child_stream))!=EOF)
{
read_buf[y]=c;
y++;
if(y>32767)
break;
}
status = pclose(child_stream);
That which does not kill me makes me stronger -- Friedrich Nietzche
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|