Description: Welcome to Part 3 of the Buffer Overflow Primer. If you have not already done so, please start this series by viewing Part 1. The Buffer Overflow Primer requires that you know at least some basic Assembly Language. I have created a series of Assembly Language video tutorials for Hackers here, for those not familiar with the language. <br><br>In the last video we saw how to create shellcode from assembly language code, this video will concentrate on how to execute the shellcode from within a C program to check that it is working properly. In order to do this, we will use the exit() shellcode which we created in the last video. We then use ShellCode.c to launch the shellcode. During this demo we will discuss how the main() function is actually invoked by the __libc_start_main routine, which sets up the environment for the program and also cleans up after main() returns. We will see how it is possible to change the return address on the stack (RET) to point to our shellcode and have it execute. <br><br><br><br><br><br><style type="text/css">body { background: #FFF; } </style> </div>
Tags: programming ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Great video, nice and short. Many thanks again.
Well done, made it simple.
thanks this video really helped me
hey Man! Well done! You are doing a great job trying to teach others, You are the best, I am learning about the exploit by myself using Jon Ericson's book, but Your tutorials are better. I really like them. Do you have tutorials on String Exploits? Well, You are great. I am starting my MS IT Sec. this year, this sure will help me. Thank you.
How likely are buffer overflows nowadays? Especially with something like C++, where it's much easier to just use std::getline() with a deliminator, or any std::istream object. This is very valuable information, but I'm wondering its worth to the modern hacker.
I'm also interested in an answer the Alteminor's question.
Greate vivek. thank you very much.
First of all; thank you for these videos Vivek! I really appreciate them and am really looking forward to watching the rest of the videos.
However, maybe you go through this in a later video, but this code may not work for two reasons:
1. There are null bytes in the shell code. This is bad because the shellcode is written into a string buffer so they will be treated as string terminators.
More information on null bytes in shell code:
http://purecode.pl/blog/?p=48
And on this page (scroll about 20% down):
http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html
2. Non-executable stack and heap. Here's some reading on that:
How to bypass non-executable stack:
http://penturalabs.wordpress.com/2011/04/02/vulnerability-development-buffer-overflows-how-to-bypass-non-executable-stack-nx/
Testing your shellcode anyway:
http://www.thexploit.com/secdev/testing-your-shellcode-on-a-non-executable-stack-or-heap/
Execute Disable Bit:
http://www.intel.com/technology/xdbit/index.htm
And finally an example I wrote that should work for testing your shellcode if you can't execute Vivek's example code on your machine:
http://pastebin.com/FBmRiZ0Q
And shellcode.s for the assembly:
http://pastebin.com/ZenZFVGp
I hope someone will find this useful. I also hope people correct me if I'm wrong, I'm just starting out here.
Now, on to the next video!
@Oziriz Thanks for the info. I haven't studied buffer overflows in a while, so I'm reviewing these videos; you posted some good information.
I'd like to add a few things:
1. The null bytes in the shell code should not make a difference in this situation. The reason they are not important is because the shellcode is being placed directly into the C program, so it does not have to be copied into memory.
Real buffer overflows commonly involve copying an input string into memory. If the data being copied is a null-terminated string and you're trying to inject shellcode, then you DO have to remove the null bytes from your shellcode to prevent the problem you explained.
2. Regarding the non-executable stack, this information you provided is very useful. However, since I'm sure there are a lot of beginners viewing these videos they might be interested to know that you can enable stack execution by simply passing "-z execstack" to gcc when compiling.
How to enable stack execution:
http://www.techblogistech.com/2011/08/testing-shellcode-on-a-non-executable-stack-or-heap/
I'll also mention that if you're running a 64-bit machine you may have slightly different results than what Vivek shows in the video. The link above to techblogistech.com contains my example ShellCode.c and you'll see that instead of "int" I had to use "long" to get the examples to work. This is of course because the memory addresses on my machine are larger than on a 32-bit machine.
I hope you guys find Oziriz and my comments useful!
The Linux primer series and this one on buffer overflow are both excellent. I've understood the "concept" of a buffer overflow for years; you know, overwrite the return pointer so it jumps and executes the evil code. But I've never seen it explained so well, step by step, as you do here. The vids are just the right length focusing on one concept at a time.
Thank you so much for your time and effort. You'll be getting a donation from me.
I would encourage others to donate as well, even if it's just a few bucks. Bandwidth for the SecurityTube site costs, not to mention Vivek's valuable time and effort in producing these.
Thank you Vivek!
thank your. I understand what the shellcode is.
really appreciate...
Don't work for me :'(
i'am on UBUNTU(11.10) 32bit with this kernel: "3.0.0-14-generic"
what should i do ??
the program is working but i just got a weird segmentation fault.
example :
ubuntu@ubuntu:~$ ./ShellCode
Segmentation fault (core dumped)
ubuntu@ubuntu:~$ echo $?
139
ubuntu@ubuntu:~$
when i echo i got 139 instead of 20 :/ mmmm..??
@ xgeek and syberskater:
This is for anyone who got a segmentation fault when trying to run the exit shellcode. I was having this problem on a Ubuntu 11.04 OS. Here is the solution:
1. If you don't already have it, go ahead and get "execstack".
sudo apt-get install execstack
2. Then compile the code as usual.
gcc -mpreferred-stack-boundary=2 -o Shellcode Shellcode.c
3. then run the execstack with the Shellcode executable.
execstack -s Shellcode
4. Now you should be able to run it without any errors.
:)
I need someone who is capable of hacking* websites & accessing their email database
I don't need scraping,web crawling or extractors
I need this sites HACKED so I gain access to their email DB
I will need to test the result u give me,if it checks out,I am willing to pay up to 3000$
per website and 10-20 websites monthly,which will increase upon delivery of faster & quality
service
Pls note,CONTINUITY is what I am after...I NEED A GOOD PARTNER I CAN WORK WITH FOR A VERY
LONG TIME!. I HAVE AT LEAST 500 WEBSITES ON MY LIST AND IM WILLING TO PAY 3000$ PER WEBSITE
PLEASE SEND ME A MAIL IF U CAN DO THIS ASAP ; omorye007 (at) yahoo (dot) com
Cheers
My machine is 64 bits and I hit a problem here. I managed to overwrite only half of the address due to the fact that my pointer only hold 4 bytes. How can I fix this problem? Thanks
@vivek_sir
Is it possible to point the instruction out of the program memory space.
@ian Thanks very much
@ian Thanks very much
Please someone kill the bird >.<
lol joke :P
Thank you very much vivek. Great videos :)
Another great video. @Ian I was getting the same Segmentation Fault and used your fix and it cured the problem. Thanks.
what does this echo $? mean..I can see it refers to the specification of the exit syscall when we execute the binary. What does it mean in general? Thanks.