LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 02-28-2007, 09:30 PM   #1
lostinvietnam
LQ Newbie
 
Registered: Sep 2006
Posts: 12

Rep: Reputation: 0
writing a stack overflow exploit on Linux


Hi folks.

I have a dummy vulnerable listening network service that I wrote and a basic exploit that I'm running against it. It's vulnerable to a traditional stack overflow. I'm running the service in GDB and watching my registers as they are overwritten. In the exploit itself I have some inline assembly which prints out ESP and I use an offset (200 bytes) from ESP which is supposed to take me back into my buffer (NOPs). After I run the exploit memory looks like the following in GDB:

| NOP x 40 | SHELLCODE | NOP x 5 | RET x 10 |

When I do 'info reg' on ESP and EIP in GDB I get the following:

esp=0xbfffec30
eip=0xbfffe5d0 (this is the RET address x 10 that I mention above)

However here's the issue. My inline ASM in the exploit calculates and prints ESP to the screen but ESP according to my exploit is 0xbfffe698 not 0xbfffec30. Is this ESP really the stack pointer for the vulnerable service or is the stack pointer for a different stack? Not sure that makes sense. My understanding is that there can be multiple stacks for multiple functions.

Any idea how to get the correct value. The logic of the exploit is correct but I'm having trouble getting the correct location for ESP. Both vulnerable service and exploit are running on the same Linux 2.4 machine.

Thanks,
lostinvietnam.
 
Old 02-28-2007, 10:35 PM   #2
Winter Knight
Member
 
Registered: Nov 2005
Distribution: Debian Stable/Testing
Posts: 54

Rep: Reputation: 15
Is it possible that you committed a math error? Perhaps converting hex to dec? Is your code short enough to display here?

I'm not really that great at exploit code. I tried it a while ago, couldn't get the hang of it. But the code would probably be helpful to someone else.
 
Old 03-01-2007, 08:31 AM   #3
djgerbavore
Member
 
Registered: Jun 2004
Location: PA
Distribution: Fedora (latest git kernel)
Posts: 443

Rep: Reputation: 30
please post source of your exploit program.

If you have two different programs (i.e two different process) then you will have a different stack for each process. Even threads have different stacks. you need to setup the buffer, then you need to make a function called (RPC in your case) to the remote service, and as the parameter use your buffer. I'm guessing you all ready know this, just want to make sure we are on the same page.

Thanks,

djgerbavor3
 
Old 03-01-2007, 09:45 AM   #4
lostinvietnam
LQ Newbie
 
Registered: Sep 2006
Posts: 12

Original Poster
Rep: Reputation: 0
exploit code

Following is the inline assembly code portion to print ESP stdout. Pretty standard stuff:

unsigned long sp(void) // return the stack pointer ESP
{ asm("movl %esp, %eax");}

int main(int argc, char *argv[]) {
char buffer[1064];

int s, i, size;
long esp;

esp = sp(); // put the current stack pointer into variable 'esp'

printf("Stack pointer is at memory address: 0x%x\n", esp);

Following is the gdb output after the exploit has been run. The exploit generates a segmentation fault which it shouldn't do so I have my mem addresses incorrect:

# gdb ./vulnerable
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and y
ou are
welcome to change it and/or distribute copies of it under certain cond
itions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for det
ails.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) break main
Breakpoint 1 at 0x80487b4
(gdb) run 44444
Starting program: /exploits/classroom/RemoteExploits/vulnerable 44444

Breakpoint 1, 0x080487b4 in main ()
(gdb) step
Single stepping until exit from function main,
which has no line number information.

Program received signal SIGSEGV, Segmentation fault.
0xbfffe5d0 in ?? ()
(gdb) info reg eip
eip 0xbfffe5d0 0xbfffe5d0
(gdb) info reg esp
esp 0xbfffec30 0xbfffec30
(gdb)

the issue is that the ESP printed by the exploit is not the same as ESP in gdb. Diffeent stack pointers for different stacks?

Question: what's the logic behind getting ESP for vulnerable.c?
 
Old 03-01-2007, 10:01 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Quote:
the issue is that the ESP printed by the exploit is not the same as ESP in gdb.
That's normal, gdb puts info everytime on the stack for doing its own job.
It's a long time I played with this but that is always the same, for every debugger Linux/Windows.
 
Old 03-02-2007, 02:49 AM   #6
lostinvietnam
LQ Newbie
 
Registered: Sep 2006
Posts: 12

Original Poster
Rep: Reputation: 0
determine ESP

ok thanks but that doesn't really answer my question.

If anyone knows how to determine ESP of the service being exploited please let me know.
 
Old 03-02-2007, 03:54 AM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
I think we are at the limit of the LQ rules here. Eventhough I would have liked to talk about this, it's probably not a good place to ask. It's my opinion, I'm happily surprised this thread is not yet closed.
Quote:
Question: what's the logic behind getting ESP for vulnerable.c?
As it's a stack overflow, means you will put the shellcode in the stack. The only information about any adress in the stack is ESP.
Relatively to the value of esp_that_you_get_at_some_point, you have to guess where your shellcode will be, which will be your ret addr. As it's blindly impossible to know this address accuratly, you have to put a lot of nops as you did.

Did you read this? It's very accademic but great.
http://insecure.org/stf/smashstack.html


Quote:
The problem we are faced when trying to overflow the buffer of another
program is trying to figure out at what address the buffer (and thus our
code) will be. The answer is that for every program the stack will
start at the same address. Most programs do not push more than a few hundred
or a few thousand bytes into the stack at any one time. Therefore by knowing
where the stack starts we can try to guess where the buffer we are trying to
overflow will be.

As we can see this is not an efficient process. Trying to guess the
offset even while knowing where the beginning of the stack lives is nearly
impossible. We would need at best a hundred tries, and at worst a couple of
thousand. The problem is we need to guess *exactly* where the address of our
code will start. If we are off by one byte more or less we will just get a
segmentation violation or a invalid instruction. One way to increase our
chances is to pad the front of our overflow buffer with NOP instructions.
Almost all processors have a NOP instruction that performs a null operation.
It is usually used to delay execution for purposes of timing. We will take
advantage of it and fill half of our overflow buffer with them. We will place
our shellcode at the center, and then follow it with the return addresses. If
we are lucky and the return address points anywhere in the string of NOPs,
they will just get executed until they reach our code.
 
Old 03-05-2007, 08:07 PM   #8
lostinvietnam
LQ Newbie
 
Registered: Sep 2006
Posts: 12

Original Poster
Rep: Reputation: 0
Smashing the Stack

Thanks for that. I have read the Smash the Stack Phrack article previously but I guess it's time for another "look-see".
 
Old 03-06-2007, 07:01 AM   #9
djgerbavore
Member
 
Registered: Jun 2004
Location: PA
Distribution: Fedora (latest git kernel)
Posts: 443

Rep: Reputation: 30
you need to read "Hacking: the art of exploitation". Good read about stack overflows.

http://www.amazon.com/Hacking-Art-Ex...3186008&sr=8-2

djgerbavor3
 
Old 03-06-2007, 09:29 AM   #10
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
http://www.metasploit.com/

Version 3 has lots of new things.
 
Old 03-06-2007, 09:46 PM   #11
lostinvietnam
LQ Newbie
 
Registered: Sep 2006
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks. The Art of Exploitation is an awesome book. I'm ploughing my way through it right now. Another good book is "Gray Hat Hacking - The Ethical Hacker's Handbook" and in particular the latter chapters on Linux/Windows Exploits, Shellcode and Reverse Engineering.

http://www.amazon.com/Gray-Hat-Hacki.../dp/0072257091
 
Old 03-07-2007, 09:46 PM   #12
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,256

Rep: Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076Reputation: 1076
Given that poorly-written code will always be with us, the most basic defense that has been implemented on most Linux systems by now is one that randomly arranges the segments of the program each time it is loaded.

Secondly, the strongest defense of all is probably that of restricting the privileges of the programs... so that they do not run as "root" and/or have unlimited access to anything. This, of course, is the Achilles heel of Windows systems, which (for no good reason whatever except laziness) have historically run everything from all-powerful accounts.

When the program that you're attacking does not have high power, there is no way to seize high power by exploiting it.
 
  


Reply

Tags
exploit, overflow, stack


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sporatic do_IRQ: stack overflow wlott Linux - General 0 01-01-2006 05:47 PM
kernel stack overflow prital Programming 2 06-29-2005 09:12 AM
Can one use an overflow exploit over network? Ephracis Linux - Security 6 05-29-2005 12:41 PM
Power PC 405 kernel stack overflow jeff_fellin Linux - General 0 01-04-2005 01:39 PM
stack overflow in linux kernel module appas Programming 2 09-20-2004 05:12 AM


All times are GMT -5. The time now is 06:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration