Reputation: 81
modify the return address to shellcode
i have tow C program. one is shellcode and the other vulnerable program.
i want to change the return address with out buffering the vulnerable program.
like for example:-
__asm__("movl $shellcode, 4(%ebp)");
but this method doesn't work for me, i have tried running the vulnerable program in linux with gdb and redirect shellcode to it (gdb) run vuln < shellcode but eip or ebp never change.
can someone look at my shellcode program and see where's the error is.
shellcode program
#include <stdio.h>
#include <stdlib.h>
void shellcode() {
__asm__(".byte 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90"); /* you may put your shellcode here */
printf("hey guyz!\n");
exit(0);
}
void bang(int val) {
__asm__("movl $shellcode, 4(%ebp)");
}
int main() {
bang(0);
}
vulnerable program
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *string) {
char buffer[1024];
strcpy(buffer, string);
return 1;
}
int main(int argc, char *argv[]) {
bof(argv[1]);
printf("Done..\n");
return 1;
}
Upvotes: 2
Views: 3211
Answers (1)
Reputation: 927
What you are trying to achieve is called a Stack buffer overflow.
Basically, You write into your stack more bytes than you should and overwrite the return address.
When you enter a function the stack looks something like this (simplified):
+----------------+
| Buffer[0] |
| Buffer[1] |
| . |
| . |
| . |
| Buffer[1023] |
| Return Address |
+----------------+
So, you have to write al least 1025 bytes to reach the return address. Once you do that and the function returns, it will try to return to whatever value you've put there.
Here's an example:
say that we have a file named "exploit.txt" filled with 32 A's: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
and the vulnerable program looks like this:
#include <stdio.h>
#include <stdlib.h>
void func(FILE *f)
{
long size;
char c[12]; // You should only write 12 bytes here
fseek(f, 0, SEEK_END);
size = ftell(f);
rewind(f);
fread(c, 1, size, f); // no bounds checking
}
int main(int argc, char **argv)
{
FILE *f = NULL;
if(f = open("exploit.txt", "r"))
{
func(f);
fclose(f);
}
printf("done.\n");
return 0;
}
When your run the program, you'll crash at address 0x41414141 since reading the file caused an overflow and the return address was overwritten.
In this type of exploit your shellcode will have a specific return address at the beginning,
pointing to a place in the vulnerable executable which than jumps back to your shellcode on the stack (jmp esp).
Note however, that most likely, this won't work with modern compilers since they add security checks to prevent exactly that, So if You want to try it you'll have to disable those options in your compiler.
You might also want to read more about Buffer Overflow
Hope that helps!
Upvotes: 1
Related Questions
- Assembly Return Address Replace
- Using buffer overflow to execute shell code
- Construct a shellcode without messing with assembly
- buffer overflow exploit change function call
- Write buffer overflow exploit -- how to figure out the address of the shellcode?
- buffer overflow exploits - Why is the shellcode put before the return address
- Modifying a byte in memory using shellcode
- How to replace the return address on the stack using a buffer overflow attack
- Modify return address on stack
- C Code how to change return address in the code?