Search code examples
cassemblystack-overflowinstructions

Generating simple shell binary code to be copied to the stack for stack overflow

I am trying to implement the buffer overflow attack, but I need to generate instruction code in binary so I can put it on the stack to be executed. My problem is that the instructions that I am getting now have jumps to different parts of a program which becomes hard to put on the stack. So I have this simple piece of code (not the code to be exploited) that I want to put on the stack to spawn a new shell.

#include <stdio.h>

int main( ) {
        char *buf[2];
        buf[0] = "/bin/bash";
        buf[1] = NULL;
        execve(buf[0], buf, NULL);
}

The code is being compiled with gcc with the following flags:

CFLAGS = -Wall -Wextra -g -fno-stack-protector -m32 -z execstack
LDFLAGS = -fno-stack-protector -m32 -z execstack

Finally using objdump -d -S, I get the following code (parts of it) in hex:

....
....
08048320 <execve@plt>:
 8048320:       ff 25 08 a0 04 08       jmp    *0x804a008
 8048326:       68 10 00 00 00          push   $0x10
 804832b:       e9 c0 ff ff ff          jmp    80482f0 <_init+0x3c>
....
....
int main( ) {
 80483e4:       55                      push   %ebp
 80483e5:       89 e5                   mov    %esp,%ebp
 80483e7:       83 e4 f0                and    $0xfffffff0,%esp
 80483ea:       83 ec 20                sub    $0x20,%esp
        char *buf[2];
        buf[0] = "/bin/bash";
 80483ed:       c7 44 24 18 f0 84 04    movl   $0x80484f0,0x18(%esp)
 80483f4:       08 
        buf[1] = NULL;
 80483f5:       c7 44 24 1c 00 00 00    movl   $0x0,0x1c(%esp)
 80483fc:       00 
        execve(buf[0], buf, NULL);
 80483fd:       8b 44 24 18             mov    0x18(%esp),%eax
 8048401:       c7 44 24 08 00 00 00    movl   $0x0,0x8(%esp)
 8048408:       00 
 8048409:       8d 54 24 18             lea    0x18(%esp),%edx
 804840d:       89 54 24 04             mov    %edx,0x4(%esp)
 8048411:       89 04 24                mov    %eax,(%esp)
 8048414:       e8 07 ff ff ff          call   8048320 <execve@plt>
}
 8048419:       c9                      leave  
 804841a:       c3                      ret    
 804841b:       90                      nop

As you can see this code is hard to copy onto the stack. execve jumps to a different part of the assembly code to be executed. Is there a way to nicely get a program which can be put compactly on the stack without too much space and branches being used?

Solution

  • If you want a clean assembly code without coding it yourself, do the following:

    1. Move your code to a separate function
    2. Pass the -O0 compilation flag to gcc in order to prevent optimizations
    3. Compile just an object file - use gcc [input file] -o [output file]

    Follow these steps, and use the assembly code generated from objdump.
    Please keep in mind, you have an external dependency for execve:
    8048414: e8 07 ff ff ff call 8048320 <execve@plt>
    so you must either include its implementation explicitly and remove the call, or know in advance that the process you want to attack has this function in its address space, and modify the call address to match the process execve address.