iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Smashing the Stack
  • chroniccommand
    Posts: 1,389
    [-------------------------------------------------------------------------------------------]
    Paper name: Smashing The Stack
    By: Chroniccommand
    For: CodeShock
    Credits: Chroniccommand, the internet
    [-------------------------------------------------------------------------------------------]

      _____ _______ _____ 
     / ____|__   __/ ____|
    | (___    | | | (___  
     \___ \   | |  \___ \ 
     ____) |  | |  ____) |
    |_____/   |_| |_____/


    Table of Contents
    1....Intro // What is "Smashing the Stack?"
    2....Buffer OverFlows (BoF's)
    3....Shell Code
    4....Links
    ---------------------]
    Intro
    Smashing The Stack is pretty popular now-a-days. It is used to corrupt a programs "execution stack" and let you do something that was no intended in the first place by the original programmer. Let me recite something from a good paper(Link at bottom).


    `smash the stack` [C programming] n. On many C implementations
    it is possible to corrupt the execution stack by writing past
    the end of an array declared auto in a routine. Code that does
    this is said to smash the stack, and can cause return from the
    routine to jump to a random address. This can produce some of
    the most insidious data-dependent bugs known to mankind.
    Variants include trash the stack, scribble the stack, mangle
    the stack; the term mung the stack is not used, as this is
    never done intentionally.


    In this paper I will go over Smashing The Stack.
    [//-----------------------------EOF--------------------------------\\]
    Buffer OverFlow (BoF's)
    Let me begin with a vulnerable C program. Take a look at this.

    #include <stdio.h>
    #include <string.h>

    int main(int argc, char **argv) {

    /* if theres no argument, exit */

        if(!argv[1]) {
            return 0;
        }

     /* copy the first argument into a 256 byte buffer */

        char buffer[256];
        strcpy(buffer, argv[1]);
        return 0;
    }

    ^Not mine :P. This program is vulnerable because it copies the string using "strcpy".
    See the part of the code that has 
    char buffer[256];
    ? That is stating we have a 256 byte buffer here. But compilers usually add "padding" so we wont be able to overflow it with just 257. Now I am assuming you are on Linux and have perl installed on your system. I have the compiled vulnerable.c and vulnerable program on my desktop. Lets try this code.

    ./vulnerable `perl -e 'print \"A\"x300'`

    That should overflow that program with 300 "A"s. The hex should be 0x41414141. If you disassemble the program after you overflow it you should notice that the EIP is like this:
    eip 0x41414141 0x41414141
    EIP is an important thing to look at. EIP stands for Extended Instruction Pointer. EIP contains the address info that points to the next instruction. Overwriting the EIP with our own address should allow us to control the programs flow.
    [//-----------------------------EOF--------------------------------\\]
    Shell code
    This will be a quick introduction to shell code. Shell code looks like this:
    \x31\xc9\x83\xe9\xee\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e

    Shellcode is used to execute our own code in the program and contains a set of CPU instructions that will be preformed among execution of said shell code.
    [//-----------------------------EOF--------------------------------\\]
    Links
    Here are some links to more BoF // Smash The Stack tutorials and papers for you to learn from.
    http://smashthestack.org/l3thal/bof.txt
    http://www.milw0rm.com/papers/73
    http://insecure.org/stf/smashstack.html
    http://mixter.void.ru/exploit.html
    http://www.infsec.ethz.ch/people/schapa ... torial.pdf
    [//-----------------------------EOF--------------------------------\\]

    More to come (Probobly). This was just some information of BoF // Smash The Stack. Enjoi.
  • Xin
    Posts: 3,251
    Great tutorial! This is what im really into atm, i recommend to people learning this to try out some of the smashthestack wargames. THere pretty good!
    Xin
  • x3n0n
    Posts: 110
    Very nice paper man! Thx !
    Btw, I tried the smashthestack wargames :D But I only got to level 8 or something :(
    So I hope this paper has helped enough go get me through the next level :D
  • chroniccommand
    Posts: 1,389
    said:


    Very nice paper man! Thx !
    Btw, I tried the smashthestack wargames :D But I only got to level 8 or something :(
    So I hope this paper has helped enough go get me through the next level :D



    What type did you play? Blowfish? IO? which one? lol.
  • x3n0n
    Posts: 110
    I think it was Blowfish ;)
    Dunno anymore :P But will try it again ;)
  • chroniccommand
    Posts: 1,389
    said:


    I think it was Blowfish ;)
    Dunno anymore :P But will try it again ;)



    You made it to level 8? 0.o. I made it to level 7 lol. Well actually that's because I just stopped playing. I should start playing it again lol. Level 7 is damn hard though.
  • x3n0n
    Posts: 110
    Maybe I'll write a tutorial on how to get past level 7 some day :p
    But now I gotta study for my exams :)
  • chroniccommand
    Posts: 1,389
    said:


    Maybe I'll write a tutorial on how to get past level 7 some day :p
    But now I gotta study for my exams :)


    Lol. If you made it to level 7, whats the level7.c code huh? :P
  • Xin
    Posts: 3,251
    Wow x3n0n thats amazing if you did get to level 7
    Xin
  • yahiashowgan
    Posts: 22
    Great Paper.!
    Thanks Very much :)
  • Bursihido
    Posts: 406
    very nice paper thanks
  • x3n0n
    Posts: 110
    said:


    said:


    Maybe I'll write a tutorial on how to get past level 7 some day :p
    But now I gotta study for my exams :)


    Lol. If you made it to level 7, whats the level7.c code huh? :P



    level7@blowfish:~$ cat /levels/level7.c
    #include <stdio.h>
    #include <string.h>

    int main(int argc, char *argv[]) {

      int i;
      char  buffer[32];
    //char  *key1 = \"/\";
      char  *p1, *p2, *p3, *p4, *p5;
      char  key2[2], key3[2], key4[2], key5[2];

    //  if(argc != 2)
    //    return -1;

      for(i = 1; i < argc; i++) {
            memset(argv[i], 0, strlen(argv[i]));
      }
      sprintf(key2, \"%c\", 0x90); // nop
      sprintf(key3, \"%c\", 0xeb); // jmp
      sprintf(key4, \"%c\", 0xcd); // int
      sprintf(key5, \"%c\", 0xff); // still easy

    //p1 = strstr(argv[0], key1);
      p2 = strstr(argv[0], key2);
      p3 = strstr(argv[0], key3);
      p4 = strstr(argv[0], key4);
      p5 = strstr(argv[0], key5);

      if (p2 != NULL || p3 != NULL || p4 != NULL || p5 != NULL) {
        printf(\"Access denied.\n\");
        return -1;
      }
      else {
        printf(\"Access granted.\n\");
      }

      strcpy(buffer, argv[0]);

      return 0;
    }
    Here you go :p
Add a Comment