stackoom
  简体   繁体   中英

get shell from memcpy

 原文  2022-12-03 21:54:06       c/ overflow/ memcpy/ shellcode

Question

I've been trying to get shell from this function but nothing seems to work
so what's happening here is that I have a variable of size 32 bytes and I'm trying to copy 600bytes to it
what I don't understand is, where my shell code will be executed is it inside the 32bytes or in the 600 - 32 bytes.
I can't give the whole working code as this is just a disassembly code from ghidra.

Any help what should I do?
Thanks in advance.

void foo(void *param)
{
  undefined varialbe [32];
  
  memcpy(variable, param, 600);
  return;
}

this is the shellcode I tried

\x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x50\x68\x2e\x74\x78\x74\x68\x66\x6c\x61\x67\x89\xe1\x50\x51\x53\x89\xe1\x31\xc0\x83\xc0\x0b\xcd\x80

I was expecting that I will get a shell on the system if I just input the above shell code. but all I get for not is segfaults.

I'm new to binary exploitations. so sorry if this is a stupid question and sorry for my english.

2 answers

solution1
 1  2022-12-03 22:11:21

It looks like you'r trying to overflow the memcpy function, If you'r reaching RIP, it must be filled with an address that you can execute, Classical technique is to have this address lower in the buffer, RIP is set to your payload by the return instruction at the end of the function.

You will need to deactivate modern features, which are address randomization and non executable stack. In case this securities are on on system that you are testing, you have to use a technique that is called ROP, which mean Return Oriented Payload.

This technique uses code allready present in the program. Well, bits of this code, by filling the stack will addresses of instructions that end up with "ret", you can come back to the stack and pick another instruction, this way you'r fill the registers as needed and then do a syscall.

You need to find links about these techniques.

solution2
 1  2022-12-03 22:23:08

… where my shell code will be executed is it inside the 32bytes or in the 600 - 32 bytes.

The intent here is that the data from param will be copied into memory starting where variable is but going beyond that. Beyond that is data on the stack used to manage function calls, including the return address of the function. The idea is that carefully crafted data in param will put a new return address on the stack, and, when the foo function returns, program execution will jump to that new address.

Doing this requires particular knowledge about the program being attacked and the computing platform it executes on.

Any help what should I do?

Classroom exercises of this nature must be crafted specifically for the system the students are using. You must get the necessary information from your instructor.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Get blob from sqllite db without memcpy How to memcpy() from argv[]? Is there any chance to get access violation from memcpy, if src buffer is accessed(read/write) from other thread wrong memcpy starting from index 1 memcpy into a struct from char array Using memcpy from a pointer to an array Memcpy from a double pointer in c Unexpected performance from memcpy and memmove How to get float address for use with memcpy? Can a thread running memcpy get preempted?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM