exploit bufferoverflow shellcode

Question

I have some homework about bufferoverflow.

int func1(char *str) { 
    char buffer[400];
    strcpy(buffer,str);
    printf("%s\n", buffer);
}

int main(int argc, char *argv[]) {
    func1(argv[1]);
}

This is my bufferoverflow.c and I also have shellcode.txt

\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68

The goal is using bufferoverflow to get root permission. But, I don't know exactly what to do.
I use 'gdb' and disas about main and func1 function.
However, Assembly code didn't give me many information.

Dump of assembler code for function main:

0x08048422 <+0>:    push   %ebp
0x08048423 <+1>:    mov    %esp,%ebp
0x08048425 <+3>:    and    $0xfffffff0,%esp
0x08048428 <+6>:    sub    $0x10,%esp
0x0804842b <+9>:    mov    0xc(%ebp),%eax
0x0804842e <+12>:   add    $0x4,%eax
0x08048431 <+15>:   mov    (%eax),%eax
0x08048433 <+17>:   mov    %eax,(%esp)
0x08048436 <+20>:   call   0x80483f4 <func1>
0x0804843b <+25>:   leave  
0x0804843c <+26>:   ret

Dump of assembler code for function func1:

0x080483f4 <+0>:    push   %ebp
0x080483f5 <+1>:    mov    %esp,%ebp
0x080483f7 <+3>:    sub    $0x1a8,%esp
0x080483fd <+9>:    mov    0x8(%ebp),%eax
0x08048400 <+12>:   mov    %eax,0x4(%esp)
0x08048404 <+16>:   lea    -0x198(%ebp),%eax
0x0804840a <+22>:   mov    %eax,(%esp)
0x0804840d <+25>:   call   0x8048314 <strcpy@plt>
0x08048412 <+30>:   lea    -0x198(%ebp),%eax
0x08048418 <+36>:   mov    %eax,(%esp)
0x0804841b <+39>:   call   0x8048324 <puts@plt>
0x08048420 <+44>:   leave  
0x08048421 <+45>:   ret    

Answer 1

If you want to mount a bufferoverflow attack. First,you must find some way to subvert the vulnerable program's control flow from its normal course, and Second, you must cause the program to act in the manner of your choosing.

In your case, the buffer of func1 is with capacity of 400 characters and it dosen't check the boundary of input. So, you can send more than 400 characters and overwrite the return address of func1 in the stack in your manner.

You can use traditional stack-smashing attacks to achieve the second purpose. That is injecting code into func1 and the modified return address on the stack points to this code. However, the stack-smashing attacks often defensed by DEP provided by most of the modern architecture and OS.

The most effective way is using ROP attacks. ROP attacks doesn't inject codes in the target program. It find some gadgets that already exsit in your system(e.g. libc),then chain those gadgets together to complete the attack (get root permission in your case). The ROP shellcode consist of these address of gadgets and some data. I don't check whether your shell code is ROP shellcode or not.

More details about ROP: [1] Return-Oriented Programming: Systems, Languages, and Applications [2] Return-oriented programming. http://en.wikipedia.org/wiki/Return-oriented_programming

Answer 2

1. Find out if ASLR, Stack cookie or executable stack is enabled.

If ASLR is off, stack cookie is off, and NX is on You can try to replace EIP with some address pointing to system call

If ASLR is on and NX is on You might have to leak the address or use ROP to get root shell.

Answer 3

Did you fill the Buffer and SFP?

Bof(Buffer overflow) attack must be overload buf, sfp and thereafter you input the shellcode address

Show the Stack Frame BUF | SFP | RET (return address)

bof purpose is control RET

so you can attack many ways

first, input shellcode in buf and find buf address using gdb and then fill the remaining buf, SFP finaly input buf address(shellcode) on the RET

second, use environment variable(shellcode) and get address script and then fill the buf, SFP finaly input environment variable address on the RET

you want to first attack can be successfully, you must off the ASLR, DEP

and second attack must off the ASLR too

enter the terminal

echo 0 > /proc/sys/kernel/randomize_va_space : ASLR OFF
-fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -m32 : gcc compile option no dummy buf and no DEP protect and compile to 32bit binary