Remote Buffer Oveflows

[TheTempest]

intresting:

so, would this psuedo code work...

Code:

SOCKET s;
char *buffer = new char[32768];

system("cmd.exe");

while(1)
{
        ret = recv(s,buffer,strlen(buffer));
        write(handle_to_cmd,buffer,strlen(buffer));

}

how would you take stdout and reroute to socket? Woud you just:

Code:

read(handle_to_command,buffer,strlen(buffer));
send(s,buffer,strlen(buffer));

S3cur|ty4ng31:
in your code, what type of var is command, how is it defined and assigned. Thanks for the code


Thanks

[Maestr0]

To answer your question it is done through calls to the operating system (usually through BSD style sockets know as Berkeley Sockets Interface) by creating a socket() and then using bind() to bind a name to the socket which can then be used as an endpoint for communication which the shell uses for input and output.

I reccomend reading the following *nix man entries or the finding the winsock equivalent(for Windows socket programming):

connect(2), listen(2), socket(2), getsockname(2), accept(2), bind(2), connect(2), getprotoent(3), getsockname(2), getsockopt(2), ioctl(2), listen(2), read(2), recv(2), select(2), send(2),
shutdown(2), socketpair(2), write(2)


-Maestr0


Edit: I see your question has already been answered, I was a bit late.

[S3cur|ty4ng31]

command is a char array that has the full path of the binary you wish to run

this is *nix code though and you keep talking about cmd.exe so does this mean yout trying to create a program on windoze?

[TheTempest]

yes,

said isn't it...

Maestr0: Ya, I'm quite fimilar with winsock programming, however, how would you pass the shell to the bind function? and then i'm assuming that you would have two sockets, one to the shell and one to the target.

ie.

Code:

SOCKET listeningSocket;
SOCKET shell;
SOCKET target;
char cmd[] = "C:\\WINNT\SYSTEM32\\cmd.exe";
char *command = new char[32768];
target = accept(listeningSocket,10);

popen(cmd,"rw");
ret = bind(shell,<????>,sizeof(socketaddr_in));
while(ret != 0 || ret != SOCKET_ERROR)
{
     ret = recv(target,command,strlen(command));
     send(shell,command,strlen(command));
     recv(shell,command,strlen(command));
     send(target,command,strlen(command));
}

pclose(cmd); //i know this is wrong, i'm not used to this function
closesocket(target);
closesocket(shell);
closesocket(listeningSocket);

something like that?

EDIT:
added close statment's
also, yes this is for windows (preferably XP Home/Pro, but win 2k is fine)

[S3cur|ty4ng31]

those commad I gave you are for a *nix system.
Ok lets start at the begining again.
Bascially you want a program that listens on a port and executes the commands that are passed to it?Is that correct?

[TheTempest]

yes,

that is correct.

[S3cur|ty4ng31]

here is the code youll need for windows then ..

it takes a command and a char array pointer for the data returned, it current only get 1024 chars back but you can change that to whatever you want


DWORD ExecuteAndWaitForCompletion ( LPCTSTR pszCmd, char *temp_data)
{
BOOL bRes;
STARTUPINFO si;
PROCESS_INFORMATION pi;
SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
SECURITY_DESCRIPTOR sd;


HANDLE newstdout,read_stdout; //pipe handles
char buf[1024];
unsigned long exit=0; //process exit code
unsigned long bread; //bytes read
unsigned long avail;
unsigned start_time;


strncpy(temp_data,"",1);
ZeroMemory ( &si, sizeof ( STARTUPINFO));

si.cb = sizeof ( STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;

if (IsWinNT()) //initialize security descriptor (Windows NT)
{
InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, true, NULL, false);
sa.lpSecurityDescriptor = &sd;
}
else sa.lpSecurityDescriptor = NULL;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = true; //allow inheritable handles


si.dwFlags = STARTF_USESTDHANDLES;
if (!CreatePipe(&read_stdout,&newstdout,&sa,0)) //create stdout pipe
{
ErrorMessage("CreatePipe");
getch();
return -1;
}
GetStartupInfo(&si); //set startupinfo for the spawned process
si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.hStdOutput = newstdout;
si.hStdError = newstdout; //set the new handles for the child process




bRes = CreateProcess ( NULL,(char*)pszCmd,NULL,NULL,TRUE,

NORMAL_PRIORITY_CLASS, NULL/*GetEnvironmentStrings()*/,
NULL, &si,&pi);
if(!bRes)
{
_snprintf(temp_data,128,"Process Failed : %s",GetLastError());
return -1;
}
Sleep(3000);

bzero(buf);
start_time = time(NULL);
for(; //main program loop
{
if((time(NULL) - start_time )> 45)
{
strcpy(temp_data,"NO MEMORY\nPlugin failed to finish in allotted amount of time\n");
TerminateProcess(bRes,-1);
break;
}


PeekNamedPipe(read_stdout,NULL,NULL,NULL,&avail,NULL);
//check to see if there is any data to read from stdout
if (avail!= 0)
{
bzero(buf);
if (avail > 1023)
{
while (bread >= 1023)
{
ReadFile(read_stdout,buf,1023,&bread,NULL);
strcat(temp_data,buf);
bzero(buf);
}
}
else
{
ReadFile(read_stdout,buf,1023,&bread,NULL);
strcat(temp_data,buf);
}

}

GetExitCodeProcess(pi.hProcess,&exit); //while the process is running

if (exit != STILL_ACTIVE)
{
PeekNamedPipe(read_stdout,NULL,NULL,NULL,&avail,NULL);
//check to see if there is any data to read from stdout
if (avail!= 0)
{
bzero(buf);
if (avail > 1023)
{
while (bread >= 1023)
{
ReadFile(read_stdout,buf,1023,&bread,NULL);
strcat(temp_data,buf);
bzero(buf);
}
}
else
{
ReadFile(read_stdout,buf,1023,&bread,NULL);
strcat(temp_data,buf);
}

}
break;
}
Sleep(500);
}
//cleanup
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
CloseHandle(newstdout);
CloseHandle(read_stdout);

return ( exit);

[TheTempest]

Thanks,

Thats great =)

[S3cur|ty4ng31]

Id like to get a copy or your program if possible. I spent a lot of time fixing that windows execution code and it would be nice to see it used in other programs

[TheTempest]

thanks,

yes, thats what i wanted to do, interprocess communication. I'll look more into applications of pipes.

Thanks for the src =)