I have made a little toy program, compiled with ALSR disabled, that I want to exploit using stack-based buffer overflow:
// gcc stackexec0x1.c -Wl,-z,execstack -no-pie -fno-stack-protector -o stackexec0x1
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define SBUFSZ 0x100
#define LBUFSZ 0x800
int main(int argc, char* argv[]) {
char buf[SBUFSZ];
printf("# ");
fgets(buf, LBUFSZ, stdin); // exploit this!
printf("%s", buf);
return 0;
}
I can easily overwrite the return address, saved on the stack, with a custom one. However, between consecutive runs of the program, the rsp register (just before ret) differs:
0x7ffdc114dc88
0x7ffeb97d5668
0x7ffd48027798
0x7ffdbf2e9ea8
0x7ffe036a5d78
0x7fff40595998
Computing the differences between the aboversp register values, one can see they are big. It would not be feasible put a NOP-sledge that covers most of them on the stack?
How can I conveniently choose a return address into the NOP-sledge + payload on the stack, so that it's executed (with high probability), when the function returns?
checksec:
checksec stackexec0x1
[*] '/home/nlykkei/exploit-dev/stackexec0x1/stackexec0x1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
