Problem with return 2 libc method
- by jth
Hi,
I'am trying to understand the return2libc method.
I'am using an ubuntu linux 9.10, 32 bit with ASLR disabled. In theory, it sounds quite easy, overwrite the saved eip with the address of system() (or whatever function you want), then put the address to which system() should return and after that, the parameter for system, the "/bin/bash"-string.
But what happens is that my exploit keeps segfaulting the vulnerable program. I assume something with the system()-address went wrong. This is what I did so far:
Determined the address of system():
(gdb) print system
$1 = {<text variable, no debug info>} 0x167020 <system>
(gdb) x/x system
0x167020 <system>: 0x890cec83
I used the subsequent x/x system because those 3 bytes returned by print system looks like an index in some sort of jumptable (PLT?), so I assume 0x890cec83 is the right address which is used to overwrite the saved eip.
After that I determined the address of the /bin/bash string in memory, using a small C program which basically consists of this line:
printf("Address of string /bin/bash: %p\n", getenv("SHELL"));
Then I looked a little bit around in the memory and fount /bin/bash:
(gdb) x/s 0xbffff6ca
0xbffff6ca: "/bin/bash"
After I gathered this information, I filled the buffer:
(gdb) b 9
Breakpoint 1 at 0x8048407: file victim.c, line 9.
(gdb) r `perl -e 'print "A"x9 . "\x83\xec\x0c\x89FAKE\xca\f6\ff\bf";'`
Breakpoint 1, main (argc=1111638594, argv=0xc360cca) at victim.c:10
10 return 0;
(gdb) x/s 0xbffff6ca
0xbffff6ca: "/bin/bash"
Stack frame looks like this:
(gdb) i f
Stack level 0, frame at 0xbffff440:
eip = 0x8048407 in main (victim.c:10); saved eip 0x890cec83
source language c.
Arglist at 0xbffff438, args: argc=1111638594, argv=0xc360cca
Locals at 0xbffff438, Previous frame's sp is 0xbffff440
Saved registers:
ebp at 0xbffff438, eip at 0xbffff43c
This seems all right to me, saved eip was overwritten with the (hopefully) correct system()-address, return address for system was set to "FAKE" (shouldn't matter) and the address of /bin/bash also seems to be correct.
When I'am continuing the execution, victim segfaults on some strange address and certainly not in 0x890cec83:
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0804840d in main (argc=Cannot access memory at address 0x41414149
) at victim.c:11
11 }
Has anyone an explanation or a hint what happens here and why the execution isn't redirected to 0x890cec83?
Thanks in advance, any hint, and be it only vague, would be appreciated. I have no idea why this doesn't work.
