Search code examples
buffer-overflowshellcode

Difficulties injecting shellcode with buffer overflow

For an assignment I am doing, I must inject shellcode to execute execve(/bin/bash) into the following C program:

#include <stdio.h>
#include <string.h>

void return_input(void)
{
    char array[30];
    gets(array);
    printf(array);
}

main()
{
    return_input();
    return 0;
}

I disassembled return_input and found that the buffer is 38 bytes large. I found a shellcode to execute execve(/bin/sh) at http://shell-storm.org/shellcode/files/shellcode-827.php and replaced \x2f\x2f\x73\x68, which is for sh, with \x2f\x62\x61\x73, which is for bash. I turned off ASLR, and compiled final1.c with gcc with the options -m32, -zexecstack, and -fno-stack-protector. The following was a test payload to see if I could overwrite the return address:enter image description here 19 nops followed by my 23 byte shellcode and fours a's, making the payload 46 bytes.

When I run final1 with /tmp/input in gdb, I can see that I can overwrite the return address. enter image description here The highlighted addresses are the overflowed buffer. I can tell I've overwritten the return address because of the four 61's in the segmentation fault error.

This is where I've run into difficulties. Instead of having four a's overwrite the return address, I used an address somewhere in the middle of the nop sled in my payload: I chose the address 0xbffff1ea. However, instead of opening bash, I see this when I run final1 with the payload: enter image description here

The number in the segmentation fault isn't the last four bytes of the payload as in the first run, so I assume that means it jumped. I also noticed that the number that is shown, 0xbffff105, is the address of one of the bytes in the shellcode, which I've higlighted in yellow.

I've hit a wall at this point. Does anyone know why I am having these troubles? Also, if my understanding of what I'm doing seems to be off, I encourage you to correct me.

Solution

  • bash and sh are two different shells. Basically bash is sh, with more features and better syntax. Most commands work the same, but they are different.

    Having said that, you should realize /bin/sh on most systems will be a symbolic link and will not invoke sh. In Ubuntu /bin/sh used to link to bash, typical behavior on Linux distributions, but now has changed to linking to another shell called dash.

    So, in short, I think you don't need to change the hexdecimal part of the execve function.