current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I have some homework about bufferoverflow.

int func1(char *str) { 
    char buffer[400];
    strcpy(buffer,str);
    printf("%s\n", buffer);
}

int main(int argc, char *argv[]) {
    func1(argv[1]);
}

This is my bufferoverflow.c and I also have shellcode.txt 

\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68

The goal is using bufferoverflow to get root permission. But, I don't know exactly what to do.
I use 'gdb' and disas about main and func1 function.
However, Assembly code didn't give me many information.

Dump of assembler code for function main:

0x08048422 <+0>:    push   %ebp
0x08048423 <+1>:    mov    %esp,%ebp
0x08048425 <+3>:    and    $0xfffffff0,%esp
0x08048428 <+6>:    sub    $0x10,%esp
0x0804842b <+9>:    mov    0xc(%ebp),%eax
0x0804842e <+12>:   add    $0x4,%eax
0x08048431 <+15>:   mov    (%eax),%eax
0x08048433 <+17>:   mov    %eax,(%esp)
0x08048436 <+20>:   call   0x80483f4 <func1>
0x0804843b <+25>:   leave  
0x0804843c <+26>:   ret

Dump of assembler code for function func1:

0x080483f4 <+0>:    push   %ebp
0x080483f5 <+1>:    mov    %esp,%ebp
0x080483f7 <+3>:    sub    $0x1a8,%esp
0x080483fd <+9>:    mov    0x8(%ebp),%eax
0x08048400 <+12>:   mov    %eax,0x4(%esp)
0x08048404 <+16>:   lea    -0x198(%ebp),%eax
0x0804840a <+22>:   mov    %eax,(%esp)
0x0804840d <+25>:   call   0x8048314 <strcpy@plt>
0x08048412 <+30>:   lea    -0x198(%ebp),%eax
0x08048418 <+36>:   mov    %eax,(%esp)
0x0804841b <+39>:   call   0x8048324 <puts@plt>
0x08048420 <+44>:   leave  
0x08048421 <+45>:   ret
share|improve this question

1 Answer 1

up vote 0 down vote

If you want to mount a bufferoverflow attack. First,you must find some way to subvert the vulnerable program's control flow from its normal course, and Second, you must cause the program to act in the manner of your choosing.

In your case, the buffer of func1 is with capacity of 400 characters and it dosen't check the boundary of input. So, you can send more than 400 characters and overwrite the return address of func1 in the stack in your manner.

You can use traditional stack-smashing attacks to achieve the second purpose. That is injecting code into func1 and the modified return address on the stack points to this code. However, the stack-smashing attacks often defensed by DEP provided by most of the modern architecture and OS.

The most effective way is using ROP attacks. ROP attacks doesn't inject codes in the target program. It find some gadgets that already exsit in your system(e.g. libc),then chain those gadgets together to complete the attack (get root permission in your case). The ROP shellcode consist of these address of gadgets and some data. I don't check whether your shell code is ROP shellcode or not.

More details about ROP: [1] Return-Oriented Programming: Systems, Languages, and Applications [2] Return-oriented programming. http://en.wikipedia.org/wiki/Return-oriented_programming

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.