Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using buffer overflow to execute shell code

I've been learning computer security lately and come across a couple problems, and i'm having some trouble with this one in particular.

I'm given a function with a fixed buffer I need to overflow in order to execute shellcode in the file shellcode. The function is quite simple:

void vuln(char *str) {
    char buf[64];
    strcpy(buf, str);
    //function provided to display stack on command prompt
    dump_stack((void **) buf, 21, (void **) &str);
}

My initial guess was to modify the return address, the eip, of the function in order to locate and execute what is in the shellcode file, but i realized I have no address to the file I can represent in a hexadecimal value. I am pretty sure I need to manipulate the return address, so currently what i'm calling is:

//the string is passed as a command line arg
./buffer_overflow_shellcode $(python -c "print 'A'*72 + '\x41\xd6\xff\xff' ")

my output is:

Stack dump:
0xffffd600: 0xffffd7fd (first argument)
0xffffd5fc: 0x08048653 (saved eip)
0xffffd5f8: 0xffffd641 (saved ebp)
0xffffd5f4: 0x41414141
0xffffd5f0: 0x41414141
0xffffd5ec: 0x41414141
0xffffd5e8: 0x41414141
0xffffd5e4: 0x41414141
0xffffd5e0: 0x41414141
0xffffd5dc: 0x41414141
0xffffd5d8: 0x41414141
0xffffd5d4: 0x41414141
0xffffd5d0: 0x41414141
0xffffd5cc: 0x41414141
0xffffd5c8: 0x41414141
0xffffd5c4: 0x41414141
0xffffd5c0: 0x41414141
0xffffd5bc: 0x41414141
0xffffd5b8: 0x41414141
0xffffd5b4: 0x41414141
0xffffd5b0: 0x41414141 (beginning of buffer)
Segmentation fault

the python script simply prints 72 letter A's to overflow the buffer to the point of the edp and eip, after I replace the edp's address with the additional address and arrive at the return address, ready to manipulate it. Any help is really appreciated, thanks!

like image 564
Syntactic Fructose Avatar asked May 01 '13 19:05

Syntactic Fructose


People also ask

How shell code is executed?

An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task.

What is a buffer overflow attack and how is it executed?

Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the program, triggering a response that damages files or exposes private information.

How do hackers use buffer overflow?

A buffer overflow attack can be: Stack-based. Your attacker sends data to a program, and that transmission is stored in a too-small stack buffer. Your hacker could choose a "push" function and store new items on the top of the stack.

What can you do with buffer overflow?

Access control (instruction processing): Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.


1 Answers

Well, I think maybe this is a like a Buffer Overflow Lab in Computer Systems: A Programmer's Perspective. First, use objdump to get the static address. Second, run it with gdb to find out the address of the stack. Then, fill the buffer with such a string that overwrites the return address to the buffer (so that you can put exploit code, alternatively, you could invoke other code in the program).

Check out this pdf which serves as a guide to this lab. It could provide you with some insights.

As is pointed out, lots of compile time flags are needed to achieve this. ( I would check out which and come back soon ). Alternatively, this post provides a guide on how to compile such an example.

like image 124
phoeagon Avatar answered Oct 10 '22 03:10

phoeagon