Problem to understand execution of payload (shellcode)

[phal_format]

Hello there,

I know that there are lot of (good) tutorials regarding this topic, but after reading them, I really cant follow their thoughts (e.g.: Smashing The Stack For Fun And Profit):

The problem is that we don't know where in the memory space of the program we are trying to exploit the code (and the string that follows it) will be placed. One way around it is to use a JMP, and a CALL instruction. The JMP and CALL instructions can use IP relative addressing, which means we can jump to an offset from the current IP without needing to know the exact address of where in memory we want to jump to.

Given the following "crackme" (this example is used as demo, you can skip it and read the question and my approach):

Code: [Select]

// ASLR DISABLED!
#include <stdio.h>
#include <string.h>

void funktion(char *args) {
    char buffer[250];
    strcpy(buff, args);
}

int main(int argc, char *argv[]) {
    if (argc > 1)
        funktion(argv[1]);
    else
        printf("Kein Argument!\n");

    return 0;
}
Target: I want to execute a very basic shellcode within that process.

Vulnerability: Classical potential Stack-Bufferoverflow, due to use of strcpy(...).

Required Information:

Code: [Select]

(gdb) info frame 0
Stack frame at 0xffffd300:
 eip = 0x8048449 in funktion (stack_bof2.c:7); saved eip = 0x8048474
 called by frame at 0xffffd330
 source language c.
 Arglist at 0xffffd2f8, args: args=0xffffd575 "A"
 Locals at 0xffffd2f8, Previous frame's sp is 0xffffd300
 Saved registers:
  ebp at 0xffffd2f8, eip at 0xffffd2fc
(gdb) print/x &buffer
$1 = 0xffffd1f6

• The buffer starts at 0xffffd1f6.
• The Return Iinstruction Pointer (RIP) is located at 0xffffd2fc.
• The offset of the RIP from the buffer's first element is 262 bytes.

Methodical Approach:

1. The RIP has to be overwritten with buffers first element's address 0xffffd1f6, because there the shellcode is being placed.
2. The shellcode has to be placed in the buffer location and should not exceed a length of 261 bytes, because from the 262th byte on, the RIP is being overwritten.

Question: I dont know what is meant with "The problem is that we don't know where in the memory space of the program we are trying to exploit the code (and the string that follows it) will be placed"
I think we know it: The shellcode is going to be placed into the buffer, and the buffer's length and address is known, so that it's known where the shellcode is going to be placed in memory (virtual memory, the absolute physical address doesnt matter). Because of that, the RIP has to be overwritten with the first address of the buffer (there where the shellcode starts).
What do they mean with it? (ASLR disabled)
Downloadlink of the crackme.

[TheWormKill]

Basically, you know where the return address is relative to the buffer location. But you don't know exactly where in the memory space the buffer is, because a few factors like environment variables, the call stack etc.
influence the size of the stack and thus the location of your buffer + shellcode. This means that you need to guess a suitable return address that would point to your shellcode. That's why shellcode won't use hardcoded addresses in most cases and instead use smart tricks with push, pop and call.

[phal_format]

Thanks for your answer, WormKill.
Hmm, seems a bit weird, cause in the book I'm reading, the RIP was overwritten with a fixed address of another function, to control the execution-flow of another example-program, but probably the stack-size varies more with a complex program, and therefore you should always avoid the use of hardcoded addresses.

To that JMP/Call-trick:
Considering the following situation (c&p from Smashing the Stack..., pastebin is more readable):

http://pastebin.com/dQpcgrwf

Assuming the stack starts at address 0xFF, and that S
stands for the code we want to execute the stack would then look like this:


bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
           buffer                sfp   ret   a     b     c

<------   [SSSSSSSSSSSSSSSSSSSS][SSSS][0xD8][0x01][0x02][0x03]
           ^                            |
           |____________________________|
top of                                                            bottom of
stack                                                                 stack

That's how I'd have done it before I got to know that the stack-size can vary.

The following is how it is done correctly

http://pastebin.com/VxUE7vbu

The CALL instruction can simply call the
start of our code above.  Assuming now that J stands for the JMP instruction,
C for the CALL instruction, and s for the string,  the execution flow would
now be:

bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
           buffer                sfp   ret   a     b     c

<------   [JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03]
           ^|^             ^|            |
           |||_____________||____________| (1)
       (2)  ||_____________||
             |______________| (3)
top of                                                            bottom of
stack                                                                 stack

How you can see, the return address (or RIP, that's how it's called in my book), still contains the absolute address of the buffer's first element. So that JMP/CALL instructions are useless.