I hid some shellcode in an environment variable and in the process of trying to overflow the program.
./notesearch $(python -c 'print "\x01\x01\x01\x01\x01\x01\x01\x01" * 15 + "\x9e\xe7\xff\xff\xff\x7f"')
The hit is that overflow works fine when it starts in GDB, as it throws off my shell. However, outside of GDB, things do not work so smoothly. I disabled ASLR, which initially caused problems until I finally resolved this problem, and now I use the getenv () function to get the exact variable with which I overwhelm the program. I am sure that I completely fill the saved frame, because when I delete the last 6 bytes from the code that I overflow with the program, it does not make any errors,
./notesearch $(python -c 'print "\x01\x01\x95\xe6\xff\xff\xff\x7f" * 15')
however, when I add one byte to the string after this, it means that I have to click on the saved frame pointer with this last byte, as confirmed by GDB.
./notesearch $(python -c 'print "\x01\x01\x95\xe6\xff\xff\xff\x7f" * 15 + "\x9e"')
In any case, I also compiled with gcc notesearch.c -o notesearch -ggdb -fno-stack-protector -z execstack , and as I said, it works in GDB anyway, so I assume it protects the kernel more . Any ideas?
source share