I am trying to follow along with a tutorial about buffer overflow (Buffer Overflow Primer by Vivek Ramachandran). I am literally following his code, which works for him in the demo, and which has worked for me until this point.
The goal of the C program below is to assign shellcode for the exit system call to a variable, and then to replace the default return address for the main function, which points to __lib_start_main, with the memory address of the shellcode variable, such that the program executes the shellcode upon completing the main function, and then exits the program gracefully, with a value of 20 (as in execiting "exit(20)"). Unfortunately, the program ends with a segmentation fault instead. I am running this on 32-bit Linux Mint. I'm using gcc to compile the code, and have compiled it with the --ggdb and -mpreferred-stack-boundary=2 options, and I've tried both with and without the -fno-stack-protector option.
Here is the code:
#include<stdio.h>
char shellcode[] = "\xbb\x16\x00\x00\x00"
"\xb8\x01\x00\x00\x00"
"\xcd\x80";
int main(){
int *ret;
ret = (int *)&ret +2;
(*ret) = (int)shellcode;
}
- It starts by defining a variable called shellcode which holds the shellcode.
- the main function is called and defines the ret variable, which is loaded into the top of the stack
- The memory location of the ret variable, plus 2 integer spaces, which represents the memory location of that is 8 bytes down the stack (the address of the return pointer) is assigned as the value of the ret variable.
- The memory address of the shellcode variable is written to the memory address represented by the value of the ret variable - ie.- the return address.
- When the function reaches the return instruction, it executes the shellcode, which is the exit function.
I have run this through gdb, and everything seems to check out: The memory location of the shellcode variable is 0x804a01c
Thanks in advance!
retwithout a valid adress is undefined behavior(UB). UB means that anything can happen. Whatever ret points to is unknown. - Kami Kaze