0

Can you recommend me OS mentioned in Shellcoder's Handbook because I'm having frequent issues on running ELF files mentioned there(See the errors below). I know that to overcome those error I have to enter commands or arguments but I did that too and I'm still not getting same output as in the book like on the assembly level.

I'm running one file to demonstrate on ubuntu 4.15.0-106-generic(testing environment I'm using) and a lot of the thing on assembly level is different.

This following dissimilarity will help you understand my problem. The below code is from the book is focused on int 0x80 instruction.

CODE:

main()
{
    exit(0);
}

This is the o/p from book:

[slap@0day root] gdb exit
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for
details.
This GDB was configured as “i386-redhat-linux-gnu”...
(gdb) disas _exit
Dump of assembler code for function _exit:
0x0804d9bc <_exit+0>: mov 0x4(%esp,1),%ebx
0x0804d9c0 <_exit+4>: mov $0xfc,%eax
0x0804d9c5 <_exit+9>: int $0x80
0x0804d9c7 <_exit+11>: mov $0x1,%eax
0x0804d9cc <_exit+16>: int $0x80
0x0804d9ce <_exit+18>: hlt
0x0804d9cf <_exit+19>: nop
End of assembler dump.

This is o/p from my testing enviroment(ubuntu 4.15.0-106-generic 16.04.1):

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5)7.11.1
This GDB was configured as "i686-linux-gnu"
gdb-peda$ disas exit
Dump of assembler code for function exit@plt:
   0x080482e0 <+0>:     jmp    DWORD PTR ds:0x804a00c
   0x080482e6 <+6>:     push   0x0
   0x080482eb <+11>:    jmp    0x80482d0
End of assembler dump.

As you can see there is no int 0x80 instruction on testing environment unlike from book.

Errors :

stack-smashing detected --- to overcome this error I used (-fno-stack-protector) and it works sometimes only.

or

Also Segmentation fault (core dumped) --- I'm getting this error when its not even mentioned in the book I know its the Linux version I'm using which must be patched for things from book.

So can you recommend me environment/OS mentioned in the book or is there any way to compile the binaries mentioned in the book to run on my testing environment(Linux 4.15.0-106-generic #107~16.04.1-Ubuntu)?

EDIT:

command using to compile elf file:

gcc -m32 -fno-stack-protector exit.c -o exit

also tried this,

gcc -static -m32 -fno-stack-protector exit.c -o exit

Adding -static gave this in assembly:

gdb-peda$ disas exit
Dump of assembler code for function exit:
   0x0804e440 <+0>:     sub    esp,0x10
   0x0804e443 <+3>:     push   0x1
   0x0804e445 <+5>:     push   0x80eb070
   0x0804e44a <+10>:    push   DWORD PTR [esp+0x1c]
   0x0804e44e <+14>:    call   0x804e320 <__run_exit_handlers>
End of assembler dump.
Evil Dead
  • 3
  • 2
  • In one case you disassemble `exit()`, in the other you disassemble `_exit()`; those aren't the same function. Do you have a typo? – Andy Dalton Jul 02 '20 at 14:11
  • Also, can you please edit your question to include how you're compiling the sample application? My guess is adding `-static` will help – Andy Dalton Jul 02 '20 at 14:14
  • Also, are you saying you're getting a stack-smaching/segmentation fault from _this_ program? Or are you talking about some other unlisted sample program(s)? – Andy Dalton Jul 02 '20 at 14:18
  • 1. I tried creating new file using -static but I'm not getting int 0x80 as shown in book example. 2. Also Yes, I'm talking about different programs I haven't listed here, and they are giving me those error. – Evil Dead Jul 02 '20 at 14:25
  • you responded to two of the three comments. Did you try disassembling `_exit` (like you show the book did; notice the underscore before exit) instead of `exit`? If that didn't work, did you repeat that experiment when compiling with `-static`? – Andy Dalton Jul 02 '20 at 14:38
  • @AndyDalton Sorry ! I did typo there its **_exit** and I compiled with `-static` and gave me `int 0x80` .. But without "-static" when I typed `disas _exit` it gave me this error **No symbol table is loaded. Use the "file" command.** Can you please tell my why this happens ? Also I noticed that there book gdb is "i386-redhat-linux-gnu" and mine is "i686-linux-gnu" do you think it can make difference in reading assembly ? If it can then can I configure my gdb to "i386-redhat-linux-gnu" ? – Evil Dead Jul 02 '20 at 14:41
  • Maybe using CentOS will help, since is one of most related distros from RHEL. Not sure about Fedora (did not touch Fedora in last 12 years) – ares777 Jul 02 '20 at 14:52
  • Having in mind the version listed as 2003 , CentOS-7 was released that year. I have the 2nd edition of book, and I think this is way "to old" to compare with "new" releases (e.g. ubuntu, based on Debian ). So, put an CentOS 7 in a virtual machine, see if matches the book) – ares777 Jul 02 '20 at 15:08
  • @ares777 If you dont mind can you recommend me book which is similar to this(I mean deep into buffer overflows) and especially relevant to "new" release ? I search and search but couldn't find new books on it, I started to read this book because it was good rated. If you know please tell me !! – Evil Dead Jul 02 '20 at 18:07
  • I think you shall go with that book, deploy CentOS and so on. The mechanisms for exploits given in the book are good base for now. There is no way to go over in hardening kernels, since you want to have e good base to advance. But what book comes into my mind is 2010 edition of A Guide to Kernel Exploitation... I did not covered this subject from that time, I am a senior programmer enough to care about other aspects of computer science. On the other hand you can find on github enough *nix exploits references, for example. What differentiate script kiddies from others is cod(ing)e knowledge.:) – ares777 Jul 03 '20 at 13:02

1 Answers1

1

In the book output, you show that they disassemble _exit:

This GDB was configured as “i386-redhat-linux-gnu”...
(gdb) disas _exit

But in your experiment, you disassemble exit (notice the missing leading underscore):

This GDB was configured as "i686-linux-gnu"
gdb-peda$ disas exit

Those are two separate functions, so make sure you're using _exit. This answer explains the difference between the two: https://unix.stackexchange.com/a/5375/90691

Also, in your output I noticed exit@plt; that "plt" stands for "Procedure Linkage Table", and it's part of resolving dynamically-linked symbols. If you compile with -static, that'll cause the compiler to statically link (instead of dynamically link) you program, so you won't end up with that level of indirection. This answer provides a more detailed explanation: https://unix.stackexchange.com/a/256852/90691

If you don't compile with -static and try to disassemble the program from the book, you might see:

(gdb) disassemble _exit
No symbol "_exit" in current context.

That's because nothing in your program referenced the symbol _exit. Compiling with -static may resolve that problem. If not, you could modify the program to call _exit instead of exit.

Finally, i386-redhat-linux-gnu vs i686-linux-gnu. The former is for a 386 processor; the latter is for a 686 processor. Both are 32-bits, so with any luck you should be fine using the 686 toolchain.

Andy Dalton
  • 13,654
  • 1
  • 25
  • 45