Stack smack – introducing buffer overflows

Earlier in the chapter, we learned about the magical world of the stack. The stack is very orderly and its core design assumes all players are following its rules – for example, that anything copying data to the buffer has been checked to make sure it will actually fit.

Although you can use your latest Kali Linux to set this up and study the stack and registers, stack execution countermeasures are built into the latest releases of Kali. We recommend using a different flavor of Linux (or an older version of Kali or BackTrack) to see the exploit in action. Regardless, we'll be attacking Windows boxes in Chapter 10, Windows Shellcoding.

Before we start, we need to disable the stack protections built into Linux. Part of what makes stack overflows possible is being able to predict and manipulate memory addresses. However, Address Space Layout Randomization (ASLR) makes this harder, as it's tough to predict something that's being randomized. We'll discuss bypass methods later, but for the purposes of our demonstration, we're going to temporarily disable it with the following command:

# echo 0 > /proc/sys/kernel/randomize_va_space

Now, let's use our trusty nano to type up a quick (and vulnerable) C program, as follows:

# nano demo.c

As we type this out, let's take a look at our vulnerable code, as follows:

#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
 char buffer[300];
 strcpy(buffer, argv[1]);
 printf("

I'm sorry, my responses are limited. You must ask the right questions.

");
}

The program starts with the preprocessing directive, #include, which tells the program to include the defined header file; for example, stdio.h is the header file that defines variable types for standard input and output. The program sets up the main function, which returns nothing (hence void); the buffer variable is declared and set at 300 bytes in size; the strcpy (string copy) command copies the argument passed to the program into the 300 byte buffer; a message from a classic movie on robotics is displayed; and the function ends.

Now, we'll compile our program. Note that we're also disabling stack protections during compilation in the following example:

# gcc -g -fno-stack-protector -z execstack -o demo demo.c
# ./demo test

We can now see that the demo program took test as input and copied it to the buffer. The printf function then displays our message. The input is small, so we shouldn't expect any issues; it fits in the buffer with room to spare. Let's take a look at what happens if we hold down the z key before submitting the input:

Ah ha! There's a segmentation fault. The program has been broken by us putting in too much data. The program is simple and quite literally does nothing, but still has a main function regardless. At some point, this function is called where a buffer is set aside for it. Once everything is popped back off the stack, we'll be left with a return pointer. If this points to somewhere invalid, the program crashes.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.228.40