Hola, el caso es que estoy intentando crear un exploit para el tipico programa vulnerable en linux pero no consigo sobrescribir el EIP... aver si me pueden ayudar:
El codigo vulnerable es:
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buff[12];
printf("\nHas escrito: %s\n",buff
);
return 0;
}
Compilo y pruebo:
zhynar@zhynar:~/Desktop$ gcc bug2.c -o bug2 -ggdb
zhynar@zhynar:~/Desktop$ ./bug2 hola <------- Compruevo que funciona
Has escrito: hola
zhynar@zhynar:~/Desktop$ ./bug2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <-------- Mas de 12 'A's
Has escrito: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Violación de segmento <---------- Se produce el desbordamiento
zhynar@zhynar:~/Desktop$
Ahora lo abro con el gdb:
zhynar@zhynar:~/Desktop$ gdb bug2
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <---- Muchas 'A's...
Starting program: /home/zhynar/Desktop/bug2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Failed to read a valid object file image from memory.
Has escrito: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault. <------ Se produce el desbordamiento
0x080483dc in main (argc=Cannot access memory at address 0x41414141
) at bug2.c:12
12 }
(gdb) info registers
eax 0x0 0
ecx 0x41414141 1094795585
edx 0xb7fbe448 -1208228792
ebx 0xb7fbcff4 -1208233996
esp 0x4141413d 0x4141413d <---- Sobrescrito
ebp 0x41414141 0x41414141 <---- Sobrescriito
esi 0x0 0
edi 0xb7fe6cc0 -1208062784
eip 0x80483dc 0x80483dc <main+72> <----- Pero no consigo sobrescribir el EIP
eflags 0x210282 [ SF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
Aver si me pueden ayudar...
Saludos