Search code examples
clinuxbufferoverflowroot

Exploiting strcpy() in C with Buffer overflow,

I'm new to the subject of computer security, and I came across this table 

char *
isdn_net_newslave(char *parm)
{
    char *p = strchr(parm, ',');
    isdn_net_dev *n;
    char newname[10];
    if (p) {
        /* Slave-Name MUST not be empty */
        if (!strlen(p + 1))
            return NULL;
        strcpy(newname, p + 1);
        *p = 0;
        /* Master must already exist */
        if (!(n = isdn_net_findif(parm)))
            return NULL;
        /* Master must be a real interface, not a slave */
        if (n->local->master)
            return NULL;
        /* Master must not be started yet */
        if (isdn_net_device_started(n))
            return NULL;
        return (isdn_net_new(newname, n->dev));
    }
    return NULL;
}

I want to get a root shell by exploiting strcpy() or strchr().

I have some troubles exploiting this with C, though it's got a strcpy() and strchr() inside it, because this is my first buffer overflow exploitation.

My Questions:

I don't know about ASLR well. How does it disturb the buffer overflow with a C script? I don't want to disable it, I'm looking at practical exploitation.

How to manipulate the variable newname?

And how to target this exact piece of code? Actually this code starts at Line 2639 in original code.

Please help me with this! Thank you!

Original Code:

https://kernel.googlesource.com/pub/scm/linux/kernel/git/ralf/linux/+/linux-3.18.19/drivers/isdn/i4l/isdn_net.c

Solution

  • any overflow ( buffer, stack, heap, ... ) requires shell code to lead to an exploit.

    ASLR and DEP randomize the location of specific modules ( like i.e. stack, heap, libc ) in memory by a random offset cf https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work

    on linux you can see how ASLR works with cat /proc/self/maps ( With ASLR turned on, are all sections of an image get loaded at the same offsets relative to the image base address every time? )

    if this would not be done and the modules were at static positions in memory ( like it was back in the old days ) one would have a static address where specific functions are located and these addresses could be used as entry point for the shellcode execution, because any overflow exploit has the goal to place shellcode in memory and execute this shellcode by a pointer to the specific position in memory

    i will not tell you more about grey techniques here but maybe have a look at return-oriented programming what is a variant of overflow technique that is still efficient

    ( Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled )