II Exploit General Explanation - kkli08/Buffer-Overflow GitHub Wiki
exploit2.c Breakdown
-
Shellcode Declaration:
- The
shellcodearray contains the bytes of the shellcode, which is meant to execute/bin/shwhen run.
- The
-
Stack Pointer Address Function
get_sp:get_sp()is an assembly function that retrieves the current value of the stack pointer (ESPregister on x86 architecture). This address is used to estimate where in memory the exploit should write the return address.
-
Main Function:
- The program takes optional command-line arguments to adjust the buffer size and the offset from the stack pointer.
-
Buffer Allocation and Address Calculation:
- A buffer of size
bsizeis allocated. The address to overwrite the return address is calculated as the current stack pointer minus theoffset.
- A buffer of size
-
Filling the Buffer:
- The buffer is filled with the calculated address. This is the address where the shellcode will be placed.
- After the addresses, the shellcode is copied into the buffer.
-
Environment Variable and System Call:
- The buffer is then set as an environment variable (
EGG). - A new bash shell is spawned using
system("/bin/bash").
- The buffer is then set as an environment variable (
Command Line Interaction and Adjustments
The command line interactions show the process of adjusting the buffer size and offset to find the right values that cause the buffer overflow to overwrite the return address correctly and execute the shellcode:
-
First Attempts (
500and600Buffer Sizes):- These attempts do not successfully exploit the vulnerability. They either cause illegal instructions or segmentation faults, indicating that the memory corruption is happening but not in a way that successfully executes the shellcode.
-
Further Attempts with Adjusted Offsets (
600 100,600 200, etc.):- These are attempts to fine-tune the offset. Each time, the program tries a different stack pointer offset to more accurately target the return address location.
-
Successful Exploit (
600 1564):- This attempt successfully overwrites the return address with the address where the shellcode resides (as determined by the calculated address). As a result, when
vulnerablereturns, it jumps to the shellcode, and a shell is spawned, indicated by the$prompt.
- This attempt successfully overwrites the return address with the address where the shellcode resides (as determined by the calculated address). As a result, when
Key Concepts
-
Buffer Overflow: The exploit relies on overflowing the buffer in the
vulnerable.cprogram to overwrite the return address on the stack. -
Return Address Overwrite: The goal is to overwrite the return address with the address of the shellcode so that when the
vulnerablefunction returns, it jumps to the shellcode instead. -
Trial and Error: Finding the right buffer size and offset often requires trial and error, as demonstrated in the command line interactions. The exact values can depend on various factors like system architecture, memory layout, and compiler behavior.
Print Stack Pointer
// sp.c
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main() {
printf("0x%x\n", get_sp());
}
==========================================================
[aleph1]$ ./sp
0x8000470
[aleph1]$
==========================================================