12

I am trying to do a buffer overflow attack for a given vulnerable code. But it seems it is going wrong because, Although my exploit strings do not corrupt the stack, I cannot get my assembly code(embedded in the exploit string) worked at all.

Here is the piece of memory values before the execution of 'ret' instruction of the program I want to attack.

0x55683984:     0x5568398c   0x...(old r.a)      0x68e322a1      0x0000c31c
0x55683994:     0xf7fa9400      0x0804a3d7       0x556839c0      0xf7e518d0

At this point, Things go wrong because it cannot pop the stack and make %eip point to popped value? So my exploit assembly code doesn't work.(0x68e322a1 0x0000c31c) Gdb says No function contains program counter for selected frame. and when I try to execute it without debugging, It causes a segmentation fault.

Does this problem have something to do with the length of my assembly? (in this case it is 6)?

Program received signal SIGSEGV, Segmentation fault.
0x5568398c in ?? ()
(gdb) x 0x5568398c
0x5568398c: 0x68e322a1

how can this happen when I am able to see what's inside the address which causes segfault?

bfaskiplar
  • 865
  • 1
  • 7
  • 23
  • You can use `disassemble` or `x/10i $eip` to see the code where it segfaulted and `bt` to view the call stack. It would be easier to help if you showed the code you're trying to execute (If it's the 68 e3 .. it looks like it has a stray zero byte embedded). BTW, if this is for homework you should mark it as such. – user786653 Nov 20 '11 at 18:05
  • I used layout asm to see what is going on and that didn't helped. Furthermore, now that my exploit code ended with a c3 (which means ret instruction), a stray zero byte is no problem. key point here is me accidentally trying to reach a memory address which is probably undefined. – bfaskiplar Nov 21 '11 at 18:54

2 Answers2

15

By default disassemble prints out the code of current function. In your case the program counter points somewhere to stack and gdb wouldn't understand where are the boundaries of current function. That's why error message.

But you can manually specify a range of addresses to disassemble:

(gdb) disassemble 0x7fffffffbb00,0x7fffffffbbff
lesnik
  • 2,507
  • 2
  • 25
  • 24
  • 4
    Very nice trick. Alternatively, you can use disassemble $rip, $rip+offset which eases the pain of figuring out where your stack frame is – Eric Mar 18 '15 at 22:54
6

Ok, here is the story I forgot to place a '$' in front of the address in the movl instruction in my assembly code. Thus, program was trying to access to a undefined memory address which cause a segmentation fault.

But, I do not like the way GDB notifies this situation by saying just 'No function contains program counter for selected frame'

bfaskiplar
  • 865
  • 1
  • 7
  • 23