Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The problem in your program is the pointer you suppose to point to the <code>/bin/sh</code> string is actually not pointing to <code>/bin/sh</code>.</p> <p>You get this address using <code>gdb</code>. But even without stack randomization, the stack address of your shell variable is different when the program is run under <code>gdb</code> than without <code>gdb</code>. <code>gdb</code> is putting some debug information into the stack and this will shift your shell variables.</p> <p>To convince yourself here is a quick and dirty program to find a <code>/bin/sh</code> string in the stack:</p> <pre><code>#include &lt;stdio.h&gt; #include &lt;string.h&gt; int main(void) { char s[] = "/bin/sh"; char *p = (char *) 0xbffff000; while (memcmp(++p, s, sizeof s)); printf("%s\n", p); printf("%p\n", p); } </code></pre> <p>First double check that stack randomization is disabled:</p> <blockquote> <pre><code>ouah@maou:~$ sysctl kernel.randomize_va_space kernel.randomize_va_space = 0 ouah@maou:~$ </code></pre> </blockquote> <p>Ok, no stack randomization.</p> <p>Let's compile the program and run it outside <code>gdb</code>:</p> <blockquote> <pre><code>ouah@maou:~$ gcc -std=c99 tst.c ouah@maou:~$ ./a.out /bin/sh 0xbffff724 ouah@maou:~$ </code></pre> </blockquote> <p>Now let's run it under <code>gdb</code>:</p> <blockquote> <pre><code>ouah@maou:~$ ./a.out /bin/sh 0xbffff724 ouah@maou:~$ gdb a.out -q Reading symbols from /home/ouah/a.out...(no debugging symbols found)...done. (gdb) r Starting program: /home/ouah/a.out /bin/sh 0xbffff6e4 Program exited normally. (gdb) quit ouah@maou:~$ </code></pre> </blockquote> <p>As you can see the address of the <code>/bin/sh</code> string is different when the program is run inside or outside <code>gdb</code>.</p> <p>Now what you can do is to use a variant of this program to find the true address of your string or a more elegant approach, get the address of a <code>/bin/sh</code> string directly from the libc (as you can guess there are a few occurrences).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload