IV Exploit General Explanation - kkli08/Buffer-Overflow GitHub Wiki

The exploit4.c script modifies the approach to buffer overflow exploitation by using environment variables to store both the shellcode and the address that points to it. This method is particularly useful when the buffer being overflowed is too small to hold the shellcode itself. Let's break down the key parts of this script:

Key Changes in exploit4.c:

1. Two Separate Buffers: The script creates two buffers:

   • buff: This is used to store the address that points to the shellcode.
   • egg: This is used to store the actual shellcode and a NOP sled.

2. Storing Shellcode in egg:

   • The script allocates a large buffer (egg) to store the shellcode. This buffer is filled first with NOP instructions and then with the actual shellcode at the end.
   • The large size (eggsize) of this buffer increases the likelihood of successfully hitting the NOP sled or shellcode when the buffer overflow occurs.

3. Environment Variables:

   • egg is converted into an environment variable named EGG (by prepending "EGG=" to it) and is set using putenv(egg). This environment variable now contains the shellcode.
   • buff is converted into another environment variable named RET (by prepending "RET=" to it) and is set using putenv(buff). This variable contains repeated addresses pointing to somewhere in the EGG environment variable (ideally, within the NOP sled).

The Exploitation Process:

1. Setting Up the Environment: When exploit4 is executed, it sets up two environment variables:

   • EGG: Contains the NOP sled and shellcode.
   • RET: Contains a series of addresses that should point to the EGG variable.

2. Overflowing the Vulnerable Buffer:

   • The vulnerable program (vulnerable) is then executed with the RET environment variable as its argument: ./vulnerable $RET.
   • RET contains the addresses that are intended to overflow the buffer in the vulnerable program and overwrite the return address on the stack.

3. Triggering the Shellcode:

   • If the overflow is successful, the return address on the stack is replaced with one of the addresses from RET, which points to the EGG variable.
   • Because EGG contains a NOP sled leading to the shellcode, execution will slide down this sled and execute the shellcode, resulting in a shell being spawned.

Why Use Two Environment Variables (EGG and RET):

• EGG: Holds the actual exploit payload (NOP sled + shellcode). This variable needs to be large to increase the chances that the overwritten return address will land within the NOP sled.

• RET: Contains the addresses pointing to the EGG variable. These addresses are what will overwrite the return address on the stack in the vulnerable program.

Conclusion:

The use of environment variables in exploit4.c allows for a more flexible and potentially more reliable exploitation method, especially when dealing with small buffer sizes in the target program. By separating the shellcode (in EGG) and the addresses pointing to it (in RET), the exploit increases the chances that the buffer overflow will successfully execute the intended shellcode.