Video Tutorial: Introduction to custom exploits for buffer overflows (local privilege escalation)

Blog Post created by webpwnized on Nov 26, 2012
Summary: Video demonstration of discovering a buffer overflow vulnerability in a SUID-root program, determining attributes of the bof, and writing a custom exploit for local privilege escalation on Ubuntu 12.04 by webpwnized (@webpwnized).
While modern operating systems have long been patched against exploits which use direct addressing to exploit buffer overflows, it can be interesting to look at the creation of a custom exploit in order to better understand the basics of buffer overflow vulnerabilities. Additionally, even with up-to-date operating systems available, it is still possible some of these vulnerabiltities are still exposed to static addressing exploits due to weaknesses in third-party software and out of date systems which "can't" be updated because of an older business critical software system relying on last-generation O/S support.

In any case, this video is entirely acedemic in that a sample program was written to purposely contain a buffer overflow and all operating system protections were removed for simplicity. Also the program has the suid bit set and the owner changed to root. In order to ensure the demonstration is repeatable, it is important to note that the program was compiled with both stack-canaries disabled and non-executable stack protection turned off. Additionally, address space layout randomization (ASLR) was disabled at run time. While it is possible to circumvent these controls under certain conditions (i.e. patch levels, compiler options, rop-friendly environments, etc.), it is best to practice at first without these controls to aid in understanding.
The operating system is Ubuntu 12.04 running as a Virtual Machine in Oracle VirtualBox. Helpful notes are below. These are used at various points in the video.

Basic checkpoints in the demonstration are:
  1. Explain the environment (Ubuntu 12.04)
  2. Compile the sample program with protections disabled
  3. Disable ASLR
  4. Examine process assembly in debugger
  5. Locate overflow
  6. Determine buffer size, location, and layout
  7. Find reliable method to overwrite return pointer
  8. Inject shellcode and set return pointer to land inside
Practice Checklist
1. Disable address space layout randomization (ASLR)
          echo 0 > /proc/sys/kernel/randomize_va_space
2. Compile program without stack canary protection and non-executable stack protection
         gcc -fno-stack-protector -z execstack -o <name of output file> <name of source code>
3. Run GDB as a regular user since the exploit will be run as a regular user. Running as root can change the memory layout.
How to Check ASLR

    cat /proc/sys/kernel/randomize_va_space

        0 - Off
        1 - On
        2 - On (Max Randomization)
How to Check Non-Executable Stack for a Program
    objdump -p authenticate_user | grep -i -A1 stack (check rwx flags)
    readelf -l authenticate_user | grep -i stack (check RWE flags)
    scanelf -e authenticate_user (check RWX flags)
gdb helpful hints
     Run program with input
          run < $(python -c 'print "A" * 512 + "B" * 4')

    show next 10 instructions
        x/10i $eip
    show registers
        info registers

    show stack pointer
        info reg $esp
        print $esp

    show function address
        print <function>
Showing modules loaded for a program, the load address, and whether the addresses are static
    ldd <program>
Source code used in demo
#include <stdio.h>
#include <stdlib.h>
#define correct_password "op3ns3s3m3"
authenticate_user (){
        char password[512];
        printf("Please enter the password: ");
        gets (password);
        if (strcmp(correct_password, password) == 0)
            printf("Access Denied!\n");
        return 0;
        printf("Access Granted\n");
        return 0;
int main(int argc, char *argv[]){
        if(argc > 1){
            printf("Usage: password <password>\n");
        return 0;