Buffer Overflow Primer Part 3 (Executing Shellcode)
Posted By: SecurityTube_Bot
Posted On: Mon 21 Feb 2011
Views: 22370
Support SecurityTube:
               




Description: Welcome to Part 3 of the Buffer Overflow Primer. If you have not already done so, please start this series by viewing Part 1. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. I have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language. <br><br>In the last video we saw how to create shellcode from assembly language code, this video will concentrate on how to execute the shellcode from within a C program to check that it is working properly. In order to do this, we will use the exit() shellcode which we created in the last video. We then use ShellCode.c to launch the shellcode. During this demo we will discuss how the main() function is actually invoked by the __libc_start_main routine, which sets up the environment for the program and also cleans up after main() returns. We will see how it is possible to change the return address on the stack (RET) to point to our shellcode and have it execute. <br><br><br><br><br><br><style type="text/css">body { background: #FFF; } </style> </div>

Tags: programming ,

This video is part of the following groups:

1. Buffer Overflow Exploitation Megaprimer for Linux ( 9 videos)

Comments (17)

Col_Loki on Wed 27 Apr 2011

Great video, nice and short. Many thanks again.

Mwerk on Mon 09 May 2011

Well done, made it simple.

resoliwan on Sun 15 May 2011

thanks this video really helped me

3ntropy on Thu 09 Jun 2011

hey Man! Well done! You are doing a great job trying to teach others, You are the best, I am learning about the exploit by myself using Jon Ericson's book, but Your tutorials are better. I really like them. Do you have tutorials on String Exploits? Well, You are great. I am starting my MS IT Sec. this year, this sure will help me. Thank you.

Alteminor on Fri 24 Jun 2011

How likely are buffer overflows nowadays? Especially with something like C++, where it's much easier to just use std::getline() with a deliminator, or any std::istream object. This is very valuable information, but I'm wondering its worth to the modern hacker.

bsmartt on Sun 26 Jun 2011

I'm also interested in an answer the Alteminor's question.

smartboy on Mon 11 Jul 2011

Greate vivek. thank you very much.

Oziriz on Mon 18 Jul 2011

First of all; thank you for these videos Vivek! I really appreciate them and am really looking forward to watching the rest of the videos.

However, maybe you go through this in a later video, but this code may not work for two reasons:

1. There are null bytes in the shell code. This is bad because the shellcode is written into a string buffer so they will be treated as string terminators.

More information on null bytes in shell code:
http://purecode.pl/blog/?p=48

And on this page (scroll about 20% down):
http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html

2. Non-executable stack and heap. Here's some reading on that:

How to bypass non-executable stack:
http://penturalabs.wordpress.com/2011/04/02/vulnerability-development-buffer-overflows-how-to-bypass-non-executable-stack-nx/

Testing your shellcode anyway:
http://www.thexploit.com/secdev/testing-your-shellcode-on-a-non-executable-stack-or-heap/

Execute Disable Bit:
http://www.intel.com/technology/xdbit/index.htm

And finally an example I wrote that should work for testing your shellcode if you can't execute Vivek's example code on your machine:
http://pastebin.com/FBmRiZ0Q

And shellcode.s for the assembly:
http://pastebin.com/ZenZFVGp

I hope someone will find this useful. I also hope people correct me if I'm wrong, I'm just starting out here.

Now, on to the next video!

dyntryx on Sun 21 Aug 2011

@Oziriz Thanks for the info. I haven't studied buffer overflows in a while, so I'm reviewing these videos; you posted some good information.

I'd like to add a few things:
1. The null bytes in the shell code should not make a difference in this situation. The reason they are not important is because the shellcode is being placed directly into the C program, so it does not have to be copied into memory.

Real buffer overflows commonly involve copying an input string into memory. If the data being copied is a null-terminated string and you're trying to inject shellcode, then you DO have to remove the null bytes from your shellcode to prevent the problem you explained.

2. Regarding the non-executable stack, this information you provided is very useful. However, since I'm sure there are a lot of beginners viewing these videos they might be interested to know that you can enable stack execution by simply passing "-z execstack" to gcc when compiling.

How to enable stack execution:
http://www.techblogistech.com/2011/08/testing-shellcode-on-a-non-executable-stack-or-heap/

I'll also mention that if you're running a 64-bit machine you may have slightly different results than what Vivek shows in the video. The link above to techblogistech.com contains my example ShellCode.c and you'll see that instead of "int" I had to use "long" to get the examples to work. This is of course because the memory addresses on my machine are larger than on a 32-bit machine.

I hope you guys find Oziriz and my comments useful!

kilgore on Sat 17 Sep 2011

The Linux primer series and this one on buffer overflow are both excellent. I've understood the "concept" of a buffer overflow for years; you know, overwrite the return pointer so it jumps and executes the evil code. But I've never seen it explained so well, step by step, as you do here. The vids are just the right length focusing on one concept at a time.

Thank you so much for your time and effort. You'll be getting a donation from me.

I would encourage others to donate as well, even if it's just a few bucks. Bandwidth for the SecurityTube site costs, not to mention Vivek's valuable time and effort in producing these.

Thank you Vivek!

dikien on Sun 25 Dec 2011

thank your. I understand what the shellcode is.
really appreciate...

xGeek on Sun 25 Dec 2011

Don't work for me :'(
i'am on UBUNTU(11.10) 32bit with this kernel: "3.0.0-14-generic"
what should i do ??

syberskater on Wed 04 Jan 2012

the program is working but i just got a weird segmentation fault.

example :
ubuntu@ubuntu:~$ ./ShellCode
Segmentation fault (core dumped)
ubuntu@ubuntu:~$ echo $?
139
ubuntu@ubuntu:~$



when i echo i got 139 instead of 20 :/ mmmm..??

ian on Sun 22 Jan 2012

@ xgeek and syberskater:

This is for anyone who got a segmentation fault when trying to run the exit shellcode. I was having this problem on a Ubuntu 11.04 OS. Here is the solution:

1. If you don't already have it, go ahead and get "execstack".
sudo apt-get install execstack

2. Then compile the code as usual.
gcc -mpreferred-stack-boundary=2 -o Shellcode Shellcode.c

3. then run the execstack with the Shellcode executable.
execstack -s Shellcode

4. Now you should be able to run it without any errors.

:)

hacknix on Thu 26 Jan 2012

I need someone who is capable of hacking* websites & accessing their email database


I don't need scraping,web crawling or extractors


I need this sites HACKED so I gain access to their email DB


I will need to test the result u give me,if it checks out,I am willing to pay up to 3000$

per website and 10-20 websites monthly,which will increase upon delivery of faster & quality

service


Pls note,CONTINUITY is what I am after...I NEED A GOOD PARTNER I CAN WORK WITH FOR A VERY

LONG TIME!. I HAVE AT LEAST 500 WEBSITES ON MY LIST AND IM WILLING TO PAY 3000$ PER WEBSITE

PLEASE SEND ME A MAIL IF U CAN DO THIS ASAP ; omorye007 (at) yahoo (dot) com


Cheers

MasterMind555 on Fri 09 Mar 2012

My machine is 64 bits and I hit a problem here. I managed to overwrite only half of the address due to the fact that my pointer only hold 4 bytes. How can I fix this problem? Thanks

mayurkumar on Thu 03 May 2012

@vivek_sir
Is it possible to point the instruction out of the program memory space.

Login to post a comment