I am on Kali 32 bits (Debian-based). I disabled ASLR, NX and stack canaries. This is not a consecutive ret2ret exploit since I used the main return statement to jump to my buffer where the shellcode is located. Here is my code :
void foo(char *args)
{
char buffer[512];
strcpy(buffer, args);
}
int main (int argc, char *argv[])
{
if(argc > 1)
foo(argv[1]);
else
printf("no input args\n");
printf("no good\n");
return 0;
}
void exploit()
{
printf("bravo !!!\n");
exit(0);
}
My overflow on ebp actually happens at offset 520. It overwrites the least significant byte of ebp with 0x00.
My first test was to try to jump to exploit() so I filled out my buffer with 516 NOP and with the adress of exploit on the last 4 bytes. It worked but here is my first question : When the ret statement is executed in main, we jump somewhere in our buffer where the NOP are executed. Why is it that when I get to the address of exploit, it jumps automatically even though in my buffer I don't have the asm instruction for jump ?
My second question is : when I want this time to execute a shellcode with the exit(0) instruction : python -c 'print "\x90"*514+"\x31\xdb\xb0\x01\xcd\x80"'
why do I get this instead and what is the meaning of the error:
Program received signal SIGSEGV, Segmentation fault.
_IO_new_file_write (f=0xb7ff59b0, data=0x0, n=-1209570250) at fileops.c:1286
1286 fileops.c: Aucun fichier ou dossier de ce type.
