1

I need to produce a presentation on buffer overflows for a college class. I managed to create a simple buffer overflow where i inject the address of a specific function on the EIP and the function gets executed as expected.

Then, i want to show the more interesting example where i inject shellcode that gets executed. That's when it stops working. I emulated the way people explained it on various websites, but it doesn't work.

Regardless of the shellcode i use (Shellcode), the issue is that the code i injected doesn't get executed. So the program jumps to the correct address, then stops without executing whatever is at the address.

EIP contains 0xbffff2e0 as expected, but the program just stalls and doesn't do anything.

So as you may see in central section of the picture, named "code", the program accesses my nop sled, at address 0xbffff2e0 (shellcode starts 4 bytes below), but nothing happens.

Then, the error output says that it tried to access 0xbffff2e0 but couldn't find anything (see bottom of the image : "0xbffff2e0 in ?? ()" ).

Do you have an idea on what's happening?

What am i missing?

Edit : i'm adding the code used in this exercise, as asked

#include <stdio.h>
#include <string.h>

void secret(){
        printf("This is a secret message : you are Awesome!\n");
}

void denied(){
        printf("You don't have the permission to see the secret.\n");
}

int main(int argc, char *argv[]){
        char buf[20];

        strcpy(buf, argv[1]);
        printf("%s\n",buf);

        if(strcmp(buf, "myPassword") == 0){
                secret();
        }
        else{
                denied();
        }

        return 0;
}
Loïc N.
  • 111
  • 3

2 Answers2

2

The stack is probably non-executable. Compile the vulnerable program like this to disable the protection:

gcc -z execstack -o program program.c
rhodeo
  • 524
  • 1
  • 6
  • 14
  • Thanks for your comment. I'm testing this solution, but i'm encountering new issues, where somehow, the rightmost byte of the address i specified for my shellcode gets modified, pointing the EIP towards a different address. But when i try to put 'BBBB', as an address, i correctly get '42424242'. I don't know what's going on here. – Loïc N. Dec 09 '16 at 22:51
  • @LoïcN. I have the same issue, did you find a solution? BBBB shows up just fine, however, when putting an address to the nopsled there, it does not work – n00b.exe Mar 23 '21 at 20:55
  • 1
    @n00b.exe Hi man. Sorry, i don't remember what happened as it was 4 years ago. I know that i did my presentation successfully, but i don't have it anymore as it was on my previous laptop, which died. I haven't worked on this topic anymore after that, so i can't help you, sorry. – Loïc N. Mar 24 '21 at 22:10
1

Aside from the answers already given here, you might want to check on bad characters. Your shellcode might contain some which could lead to the problem you are encountering. It could also be the reason why your EIP overwrite is not working as intended, where one (or more) byte(s) in the address you are trying to inject is a bad character. For starters, 00, 0d, and 0a are almost always bad characters.

Link
  • 496
  • 4
  • 7