23

I am trying to exploit simple stack overflow vulnerability. I have a basic code in c:

#include <cstring>
int main( int argc, char** argv )
{
        char buffer[500];
        strcpy(buffer, argv[1]);
        return 0;
}

compiled using -fno-stack-protector. I've already figured out the buffer length and I've successfully overwritten the EBP and EIP registers. I injected a large number of NOPs, followed with this shell code and finally inserted an address where the injected NOPs are so the code is executed.

Now the problem. On the picture attached you can see the gdb output. If I run my program with malicious input it gets a SIGSEGV. Dumping the address 0xbffff880 you can see there is a lot of NOPs followed with the shell code (pink box) and finally with the address (blue box).

I've thought this would work as follows: At first the 0x90909090s and the shellcode are considered as simple data. After these (past the pink box) there is an address 0xbffff880. I am saying to the cpu "hey there, now please execute what's on 0xbffff880". The cpu takes what's on the address and executes all the NOPs and the shellcode itself. However that's not happening and SIGSEGV occures.

Where am I mistaken?

gdb output

I am trying to achieve this on Virtualbox instance of 32-bit Ubuntu 14.04 Linux 3.13.0-39-generic i686 with ASLR turned off.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
tsusanka
  • 447
  • 1
  • 3
  • 10
  • 2
    Are you on x64? x86? OS you're on? – RoraΖ Nov 10 '14 at 12:27
  • Thx for the note, see the bottom of the question. – tsusanka Nov 10 '14 at 12:30
  • 4
    I would guess that the memory at `0xbffff880` is not marked as executable. Try changing the permissions with [mprotect](http://www.informit.com/articles/article.aspx?p=23618&seqNum=10). – RoraΖ Nov 10 '14 at 12:46
  • Indeed! I was searching a bit around and found out that compiling using `-z execstack` should as well solve this. I recompiled my code with that flag and it really does work! Great, thanks a lot. I consider this as proof of concept, so I am satisfied with that solution :). Btw do i understand it right that if I liked to ommit the `-z execstack` I use the mprotect code and append it to my shell code? What about that `-fno-stack-protect..` are there ways to exploit buffer overflow even with stack protection on? – tsusanka Nov 10 '14 at 13:41

2 Answers2

25

Your memory address 0xbffff880 is most likely non-executable, but only read/write. There are a couple of ways you can overcome this.

  1. If that is a stack address you can use -z execstack while compiling. This will essentially make the entire stack memory executable.
  2. For a more robust solution you can write the shellcode to call mprotect on the address you are writing to.

For example, the following line will mark address 0xbffff880 as read/write/executable.

mprotect((void*) 0xbffff880, buffer_len, PROT_READ | PROT_WRITE | PROT_EXEC);

-fno-stack-protector does not mean that the stack will be executable. It only disables other security features such as canaries or stack cookies. If these values are overwritten (with a buffer overflow) when they are checked the program will fail. This would not enable the execution of your buffer.

gmelodie
  • 105
  • 5
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
2

As RoraZ said, your stack is not executable. To expand on that, buffer overflow exploit like that will not work on a modern linux box unless the binary is compiled to allow such shenanigans. You will need to disable a number of security features; RELRO, STACK CANARY, NX, PIE.

There is a nice bash script called checksec.sh (http://www.trapkit.de/tools/checksec.html) that can help you check the binary, for example:

enter image description here

The way I compile a binary for x86 buffer overflow test:

gcc -m32 -g -mpreferred-stack-boundary=2 -no-pie -fno-stack-protector -Wl,-z,norelro -z execstack ./program.c
  1. -no-pie: disable PIE (position independent executable)
  2. -z execstack: to disable NX (making stack executable)
  3. -Wl,-z,norelro: disable RELRO (readonly relocations)
  4. -fno-stack-protector: remove stack protection (stack overflow security checks)

And for convenience:

-g: add debugging

-mpreferred-stack-bounary=2: align stack on 4-byte boundary

sf_admin
  • 121
  • 4