Summary: Video demonstration of discovering a buffer overflow vulnerability in a SUID-root program, determining attributes of the bof, and writing a custom exploit for local privilege escalation on Ubuntu 12.04 by webpwnized (@webpwnized).

While modern operating systems have long been patched against exploits which use direct addressing to exploit buffer overflows, it can be interesting to look at the creation of a custom exploit in order to better understand the basics of buffer overflow vulnerabilities. Additionally, even with up-to-date operating systems available, it is still possible some of these vulnerabiltities are still exposed to static addressing exploits due to weaknesses in third-party software and out of date systems which "can't" be updated because of an older business critical software system relying on last-generation O/S support.

In any case, this video is entirely acedemic in that a sample program was written to purposely contain a buffer overflow and all operating system protections were removed for simplicity. Also the program has the suid bit set and the owner changed to root. In order to ensure the demonstration is repeatable, it is important to note that the program was compiled with both stack-canaries disabled and non-executable stack protection turned off. Additionally, address space layout randomization (ASLR) was disabled at run time. While it is possible to circumvent these controls under certain conditions (i.e. patch levels, compiler options, rop-friendly environments, etc.), it is best to practice at first without these controls to aid in understanding. The operating system is Ubuntu 12.04 running as a Virtual Machine in Oracle VirtualBox. Helpful notes are below. These are used at various points in the video.

Oracle VM VirtualBox

Basic checkpoints in the demonstration are:

  1. Explain the environment (Ubuntu 12.04)
  2. Compile the sample program with protections disabled
  3. Disable ASLR
  4. Examine process assembly in debugger
  5. Locate overflow
  6. Determine buffer size, location, and layout
  7. Find reliable method to overwrite return pointer
  8. Inject shellcode and set return pointer to land inside

Practice Checklist

1. Disable address space layout randomization (ASLR)
echo 0 > /proc/sys/kernel/randomize_va_space

2. Compile program without stack canary protection and non-executable stack protection
gcc -fno-stack-protector -z execstack -o <name of output file> <name of source code>

3. Run GDB as a regular user since the exploit will be run as a regular user. Running as root can change the memory layout.

How to Check ASLR

    cat /proc/sys/kernel/randomize_va_space`
        0 - Off
        1 - On
        2 - On (Max Randomization)

How to Check Non-Executable Stack for a Program

    objdump -p authenticate_user | grep -i -A1 stack (check rwx flags)
    readelf -l authenticate_user | grep -i stack (check RWE flags)
    scanelf -e authenticate_user (check RWX flags)

gdb helpful hints

Run program with input

run < $(python -c 'print "A" * 512 "B" * 4')

show next 10 instructions

   x/10i $eip

show registers

info registers

show stack pointer

info reg $esp      
print $esp

show function address

print <function>

Showing modules loaded for a program, the load address, and whether the addresses are static

ldd <program>

Source code used in demo

#include <stdio.h>
#include <stdlib.h>
#define correct_password "op3ns3s3m3"
authenticate_user (){
        char password[512];
        printf("Please enter the password: ");
        gets (password);
        if (strcmp(correct_password, password) == 0)
            printf("Access Denied!\n");
        return 0;
        printf("Access Granted\n");
        return 0;
int main(int argc, char *argv[]){
        if(argc > 1){
            printf("Usage: password <password>\n");
        return 0;