Geek Answers Handbook

Simple buffer overflow and shellcode example

I am trying to run the Aleph One example to get a BOF and open a shell.

This is a Aleph One document: http://insecure.org/stf/smashstack.html

And this is a simple C code (located on almost half the paper):

char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; }

Now I tried to run this program in SSH bash, but without success.

Since nothing happened after starting, I assume that I just did not write the return address, so I used GDB to see the offset between the ret variable and the real return address, and realized that it was 7.

To test myself, I tried increasing ret to 3,4,5,6, and really, only when I changed line 10 to:

  ret = (int *)&ret + 7;

I got a segmentation error.

However, I do not understand why bash does not open, and I get this error.

PS I worked on SSH servers with smashthestack logic (one of their tasks is BOF): http://logic.smashthestack.org:88/

Thanks for the helpers.

+8
c security shellcode buffer-overflow
source share
2 answers

From http://blog.markloiseau.com/2012/06/64-bit-linux-shellcode/ :

This stub is an updated version of the classic test stub with hexadecimal code with one key difference: in the new stub, the command code is #defined at compile time, so you can put it directly into the main procedure using the gccs preprocessor.

This is necessary because over time, Linux and GCC have become more careful about which sections of the executable may contain executable code (as opposed to unexecutable variables). The traditional version of the program will not work on newer versions of Linux:

The classic cccode shell will generate segfault for new systems because the shellcode [] character array is stored explicitly in the non-executable .rodata section of the ELF file. When the computer restores an unused array as a function and tries to start it, the program crashes

. Also note these changes when writing shellcode:

 //old way char[] shellcode ="shellcode..." //new way #define SHELLCODE "shellcode
+5
source share

The problem is shellcode. Silk code is a const string, so you cannot change it. If you look at disassembling the shell code, you will see that the code is trying to change the line.

You can try to allocate memory and allocate shellcode there. It may still not work, depending on the OS, as you may have to change the security settings to allow code to run in the allocated memory block.

The reason for self-modification is that it takes 0 bytes at the end to execute the shell, but it cannot be contained in the string, so the code must fix it before it can execute the shell. This is the reason for SIGSEGV.

Your problem is almost identical to this: Build code continues to show segment error

The shellcode is basically the same. Not exactly, but by the same principle.

Update

To explain this a little better, an exploit will work if the BSS segment is writable. Declaring such a string makes it, according to the C standard, const. Writing to a static string is undefined behavior, so it may or may not work.

+1
source share

More articles:


All Articles