Hi,

I was just learning about buffer overflow attacks... I was curious as to how to generate a simple shellcode. For example, I've written two codes - One is the typical program that has a vulnerability inside and the other is the shellcode.

main program:

void test();

int main() {
   test();
   return 0;
}

void test() {
   int *ret;
   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;
}

I was thinking of putting the shellcode into the shellcode found in the end which is a character array.

And as for the shellcode generation, I've written something like:

#include <unistd.h>

int main() {
  char buf[]="Hello World";
  write(1,buf,sizeof(buf));
  exit(0);
}

But I don't know how to generate the shellcode from this so that I can put it in the original program. Can someone please guide me on how to achieve this?

Your example is contrived, so just stick the shellcode in your first program as a function.

An overflow attack works by contaminating the code segment with data. For example, if I say:

void do_something() {
  char s[ 12 ];
  printf( "Enter a string> " );
  gets( s );
  printf( "The string you entered is \"%s\", s );
  }

The vulnerability is that the user may enter more than eleven characters before hitting ENTER. (Which is why gets() should never be used.) An attacker recognizes that after twelve characters he can insert executable code, so that the next time do_something() is called then what it actually looks like is this:

void do_something() {
  char s[ 12 ];
  <attacker's code here>
  ...

If you compile two separate programs you will have to find and get the actual 'attacker' code out of your second program. Skip the grief and just use debug.exe to turn your assembly into opcodes you can insert, or if you are going to play exclusively with C, just make the 'attacker' code another function.

Also, remember that exploiting this vulnerability always corrupts and/or destroys the attacked program, often leading to a crash. The attacker's goal isn't to be invisible, just to get his code executed at least once. That code can do anything the attacked program was privileged to do.

Also remember that this is a very simple example. A true attacker must be a bit more sophisticated than this. True attacks are wickedness and evil, so I won't go into further detail.

Hope this helps.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.