Here’s a simple program to illustrate a stack smash.
For the purposes of this post our user is named ‘user’. We note that the binary we are targeting is suid for the flag user. (This would be suid root in the interesting case.)
So lets do some simple recon to see if there are functions that we might want to take advantage of:
So lets see if the strcpy is vulnerable. Lets see if we can make this program crash on our input. We can assume that the input being taken is probably everything except for a (NULL byte).
We suspect that there is a buffer overrun on standard input because of:
So we create a dipstick to see how to construct the payload.
Using GDB we find out at which point on the dipstick we need to notch our return address:
So we have overwritten the instruction pointer with data from our buffer. The program dies on jumping to the next instruction because $eip is not pointing to a valid memory address.
0x37614136 corresponds to 6Aa7 on our dipstick. We can get the offset by using:
Which shows we need the initial buffer to be 20 chars long. Now we need to replace 0x37614136 with an advantageous address. We can do this by looking where the program puts our input in memory.
So we see that the address we can use 0xbfbfeb60. Now we can put it all together:
And we run it like so:
Note: This is possible because there currently is a defaultly executable stack and this program was compiled without explicit stack smashing protection on FreeBSD.
Stack Smashing Protection is not on by default, but can be turned on with:
And from there we can see kill() being called when we attempt a stack smash.
Thus, it is important to make sure everything on FreeBSD is compiled with stack smashing protection on.