I am reading shellcode handbook, and there is one sentence of executing past the space:
Interestingly, we see that the program was executing address 0x0000000a— or 10 in decimal—when it crashed. More on this later in this chapter.
MY PURPOSE
ret
instruction (so the address will be popped and
moved to eip - as does ret
), and ouput the input 2 times (for the
second time when jumped back by my payload). It is nothing so
speciall, only educational to see it executes my payload instead of
SEGFAULT. That is my purpose*So there is an example:
(in c):
void return_input(void){
char ar[30];
scanf(" %s", ar);
printf("%s\n",ar);
}
int main (void) {
return_input();
return 0;
}
As can I see, I have 30 bytes long buffer to use. When dumped:
Dump of assembler code for function main:
0x0804919b <+0>: push %ebp
0x0804919c <+1>: mov %esp,%ebp
0x0804919e <+3>: and $0xfffffff8,%esp
0x080491a1 <+6>: call 0x8049172 <return_input> // here I want to jump
0x080491a6 <+11>: mov $0x0,%eax
0x080491ab <+16>: leave
0x080491ac <+17>: ret
End of assembler dump.
Now I would like to overoverflow mu buffer to jump into address 0x080491a1
(as is address of calling <return_input>
) - so when it jumped, the output should be two times printed.
So finally I do:
$printf "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDD\xa1\x91\x04\x08" | ./c.exe
Which - as I understand - should be: 10 times 'A', 10 times 'B', 10 times 'C' = so now I have exhaust my allowed buffer. Continue: 6 times 'D' AND my payload (4 bytes). Together it is 40 bytes, as Is mentioned in book - ten bytes after allocated space. So it should jump to that address, as ret
instruction in stack should be now overwriten my payload. But instead:
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDD��
Segmentation fault (core dumped)
In the book, it worked:
shellcoders@debian:~/chapter_2$ printf “AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDD\xed\x83\x04\x08” | ./overflow
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDí
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDò
But unfortunately not for me.
Can someone explain me, how to make the jump without the segfault? I have tried go step by step in gdb, but even there, I could not see the payload address after ret
(well it is not even possible in gdb - when I am entering characters in ascii, but it must be printf
to translate the payload).
So when to (in what position - 10th byte?) give the payload in order to be executed without segfault?
Additional info:
compiled as:
cc -mpreferred-stack-boundary=3 -ggdb -m32 -fno-stack-protector -o $@ -no-pie -fno-PIE -z execstack $<
Additional info (dumped ):
Dump of assembler code for function return_input:
0x08049172 <+0>: push %ebp
0x08049173 <+1>: mov %esp,%ebp
0x08049175 <+3>: sub $0x20,%esp
0x08049178 <+6>: lea -0x1e(%ebp),%eax
0x0804917b <+9>: push %eax
0x0804917c <+10>: push $0x804a008
0x08049181 <+15>: call 0x8049050 <__isoc99_scanf@plt>
0x08049186 <+20>: add $0x8,%esp
0x08049189 <+23>: sub $0x4,%esp
0x0804918c <+26>: lea -0x1e(%ebp),%eax
0x0804918f <+29>: push %eax
0x08049190 <+30>: call 0x8049030 <puts@plt>
0x08049195 <+35>: add $0x8,%esp
0x08049198 <+38>: nop
0x08049199 <+39>: leave
0x0804919a <+40>: ret
End of assembler dump.
User contributions licensed under CC BY-SA 3.0