I experimented with silk deck and came across a nop-slide technique. I wrote a small tool that takes a buffer size as a parameter and creates a buffer like this: [NOP | SC | RET], with the NOP taking up half the buffer, followed by the shellcode, and the rest filled with a (guessed) return address. Its very similar to the aleph1 tool described in its famous article.
My vulnerable test application is the same as in its document:
int main(int argc, char **argv) {
char little_array[512];
if(argc>1)
strcpy(little_array,argv[1]);
return 0;
}
I tested it and well, it works:
jth@insecure:~/no_nx_no_aslr$ ./victim $(./exploit 604 0)
$ exit
But honestly, I have no idea why. Well, the saved eip was overwritten as intended, but instead of jumping somewhere into the buffer, I think it jumped into argv.
gdb detected the following addresses before calling strcpy ():
(gdb) i f
Stack level 0, frame at 0xbffff1f0:
eip = 0x80483ed in main (victim.c:7); saved eip 0x154b56
source language c.
Arglist at 0xbffff1e8, args: argc=2, argv=0xbffff294
Locals at 0xbffff1e8, Previous frame sp is 0xbffff1f0
Saved registers:
ebp at 0xbffff1e8, eip at 0xbffff1ec
Little_array address:
(gdb) print &little_array[0]
$1 = 0xbfffefe8 "\020"
strcpy():
(gdb) i f
Stack level 0, frame at 0xbffff1f0:
eip = 0x804840d in main (victim.c:10); saved eip 0xbffff458
source language c.
Arglist at 0xbffff1e8, args: argc=-1073744808, argv=0xbffff458
Locals at 0xbffff1e8, Previous frame sp is 0xbffff1f0
Saved registers:
ebp at 0xbffff1e8, eip at 0xbffff1ec
, ? 604 little_array, , , ebp, eip argc, argv 0xbffff458.
, , EIP 0xbffff458. little_buffer 0xbfffefe8, 1136 , , , little_array. stepi , 0xbffff458 , NOP .
, . , , shellcode argv, little_array? (?) argv ? , argc, argc 0xbffff458 620 . , "" NOP-Pad 0xbffff458, eip 0xbffff1ec?
- ? , . - 32- Ubuntu 9.10 ASLR. , execstack -s.
.