4

I'm starting to tinker with buffer overflows, and wrote the following program:

#include <unistd.h>

void g() {
  execve("/bin/sh", NULL, NULL);
}

void f() {
  long *return_address;
  char instructions[] = "\xb8\x01\x00\x00\x00\xcd\x80"; // exit(1)

  return_address = (long*) (&return_address + 2);
  *return_address = (long)&g; // or (long)instructions
}

int main() {
  f();
}

It does what I expect it to do : return_address overwrite the return address of f with the address of g, which opens a shell. However, if I set the return address to instructions, I got a segmentation fault, and none of the instructions in instructions is executed.

I compile with GCC, using -fno-stack-protector.

How could I prevent this segmentation fault occurring ?

Improve this question
2
  • 3
    Not an expert, but could it be that instructions is saved in the data segment and therefore it trips the Data Execution Prevention (or its name under Linux) and therefore the program is terminated? If I understand correctly, this is not the same thing as a stack overflow, and it isn't disabled by -fno-stack-protector. But I'm not sure at all! Commented Apr 13, 2019 at 12:00
  • @FabioTurati instructions is stored in the stack, I've checked with GDB Commented Apr 13, 2019 at 12:30

1 Answer 1

Reset to default
2

At least one problem isn't related to the buffer overflow.

execve("/bin/sh", NULL, NULL);

That first NULL becomes the argv of the process you're starting. argv must be an array of strings that is terminated with a NULL. So a segfault may happen when /bin/sh starts up, tries to read argv[0], and dereferences NULL.

void g(void) {
    char *argv[] = { "/bin/sh", NULL };
    execve(argv[0], argv, NULL);
}

You might also add -z execstack to the gcc command line, which will tell the linker to permit an executable stack. You should also verify that the instructions you have there are what exit(1) compiles to on your system if you got them from a tutorial somewhere.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.