11

Disclaimer: this exploit is purely for educational use. In this exploit I play the role of the victim and the software exploited is written by me alone.

I have a simple HTTP server that I want to exploit with a buffer overflow attack. I am sending a maliciously crafted HTTP request that overflows the buffer of a request variable via the strcpy function - the scenario being that the developer forgot to use strncpy.

However, there are two challenges with overwriting the return address in this program that I don't know how to solve:

  1. strcpy will stop copying when it encounters a NULL byte in the source string. Therefore, is it possible to overwrite the return address with a target address that contains the NULL byte 0x00? For example, if the target address is 0x407200, we must write \x00\x72\x40. However, strcpy will return upon the first \x00, and will not copy the \x72\x40. Therefore, is it possible to encode \x00 such that it does not cause strcpy to return prematurely?

  2. Likewise, the HTTP parser in my HTTP server splits the HTTP request into tokens with the space character \x20 as the delimiter. Therefore, is it possible to escape this character, like the NULL terminator above, such that an address that contains \x20 does not get split into two seperate tokens by strtok?

If not, is this just a limitation of buffer overflow attacks, in that, due to the construction of the program in question it is not always possible to overwrite the return address with a target address of your choice?

Improve this question
1
  • 1
    Generate shellcode through msfvenom and pass the two bad chars (space and null) with -b. For example msfvenom -p <payload> -b '\x00\x20' Commented Jul 25, 2015 at 18:59

2 Answers 2

Reset to default
4

Null bytes in your return address are hard to beat. Since its an address as opposed to code you cannot use an encoding stub. There are however a few potential ways to get around this:

1)Find the perfect address. Sometimes the application will copy code onto the stack or other areas in memory. If you're lucky you can find a static location that contain a suitable op code such as jmp esp.

2) Check for Unicode support, multi byte wide Unicode will allow you include null bytes in your payload.

3) It may be possible to spray the heap and make a predetermined address increasingly likely to contain your payload. This predetermined address can be chosen to not contain null bytes.

Good luck

Improve this answer
3

When you are exploiting a buffer overflow, your attack is possible because of an underlying misschecking on the asm code. In your case, strcpy use is in fault so you have some limitations. Indeed, strcpy is a string function.

As you said, you can't have \x00 byte. You can find other cases (not relying on stcpy) when \x00 can be allowed but not in this case. Sometimes some additional "treatment" is done before calling strcpy and you will have limited bytes as \x20 in the HTTP protocol.

You will need to work on the exploit to overwrite the return address and execute your payload without using those caracters. You may be able to succeed using a Nop-slide before your payload; this will allow you to shift your shellcode address.

You can also use Return to lib C, or other ROP technique.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.