Hi Stack Overflow community,
I am currently working on a CTF challenge, where I need to perform a buffer overflow on a C program and then execute a shellcode to create and write to a file. The given C program is as follows:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char** argv)
{
setuid(0);
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
I successfully executed a shellcode that spawns a shell using GDB and a NOP sled. However, I now want to create a shellcode that writes to a file instead. I started by writing a simple x86 assembly code for it, compiling it, and using objdump to retrieve the hex representation, but it doesn't seem to work. The program exits normally, and no file is created.
Here's the x86 assembly code I've written:
global _start
_start:
shellcode:
jmp before_string
after_jump:
mov ebx ; address of "id.txt" string
xor ecx, ecx ; Zeroing ecx
xor eax, eax ; Zeroing eax
xor edx, edx ; Zeroing edx
mov al, 0x05 ; Open system call
mov ecx, 0x41 ; O_WRONLY
mov [ebx+6], dl ; NULL terminator for "helloworld.txt"
int 0x80 ; call open("id.txt", 1, 0). File descriptor is returned in eax
mov ebx, eax ; Move file descriptor to ebx
;Write system call
shellcode_1:
jmp before_write
after_jump_write:
pop ecx ; address of "hello" string
xor edx, edx ; Zeroing edx
xor eax, eax ; Zeroing eax
mov [ebx+9], dl ; NULL terminator for "helloworld.tx"
mov edx, 0x09 ; length of "hello" string in bytes
mov al, 0x04 ; write system call
int 0x80 ; call write(1, "", 9)
xor eax, eax
xor ebx, ebx
mov al, 0x1 ; exit system call
int 0x80
before_string:
call after_jump
string_open:
db "helloworld.txt"
before_write:
call after_jump_write
string_write:
db "hello"
I'm not sure why the shellcode isn't working as intended. Can anyone help me identify the issue or provide any guidance on how to correctly create a shellcode to write to a file in x86 assembly after performing a buffer overflow? Any help would be much appreciated. Thank you!
