0

I used buffer overflow and wrote on ret address in stack. When I debug it with gdb, I understood that the eip sets to the address that I want. The address is a gadget in libc. The opcode of the instructions set properly, but it just doesn't execute them and I get this message:

0xb7fa9dd8 in ?? () from /lib/i386-linux-gnu/libc.so.6

Why? What is this message?

Look at the data below please:

(gdb) x $eip
 0xb7fa9dd8:    0xfff2a858

The gadget to execute is:

184dd8: 58                      pop    %eax
184dd9: a8 f2                   test   $0xf2,%al
184ddb: ff a8 00 00 00 00       ljmp   *0x0(%eax)
Farzane
  • 173
  • 1
  • 8
  • Well, just looking at it, it looks like you're transferring control to some location on the stack, not to the "gadget" you want to execute. Could also be that `pop %eax` then `ljmp *0x0(%eax)` transfers control to a place you don't expect. – zneak Aug 25 '13 at 06:31
  • The stack is most likely marked as non-executable. – Paul R Aug 25 '13 at 06:40
  • many thanks for your answers. But the address 0xb7fa9dd8 is exactly( 184dd8 + b7e25000) in which b7e25000 is the base of libc when it's loaded in memory at execution time. I don't need to make stack executable, I don't inject any code to it. Just use the codes available in system by transferring the eip to that address. ljmp *0x0(%eax) should jump to another address in libc. – Farzane Aug 25 '13 at 11:21

0 Answers0