App - System
App - System - ELF ARM - Stack buffer overflow - basic (shellcode not working !!!)
Hey everybody,
I met a problem, I found a shellcode on exploit-db, it’s not working, but i don’t know why, I tested the shellcode with a test program on C, it works well…
Here are some details in gdb :
When I entered the shellcode :
=> 0xbefffa68 : add r3, pc, #1
0xbefffa6c : bx r3
After execution of “bx r3”, entered the THUMB mode
=> 0xbefffa70 : mov r0, pc
0xbefffa72 : adds r0, #8
0xbefffa74 : subs r1, r1, r1
0xbefffa76 : subs r2, r2, r2
0xbefffa78 : movs r7, #11
0xbefffa7a : svc 1
0xbefffa7c : str r7, [r5, #32] ; here is string “/bin/sh”
0xbefffa7e : ldr r1, [r5, #100] ; 0x64
0xbefffa80 : strb r7, [r5, #12]
0xbefffa82 : subs r3, #104 ; 0x68
0xbefffa84 : movs r3, #35 ; 0x23
And then stepi, before execute “svc 1”
r0 0xbefffa7c 0xbefffa7c ; address of string “/bin/sh”
r1 0x0 0x0
r2 0x0 0x0
r3 0xbefffa71 0xbefffa71
r4 0x41414141 0x41414141
r5 0x41414141 0x41414141
r6 0x41414141 0x41414141
r7 0xb 0xb
r8 0x41414141 0x41414141
r9 0x41414141 0x41414141
r10 0x41414141 0x41414141
r11 0x41414141 0x41414141
r12 0x20fe4 0x20fe4
sp 0xbefffb10 0xbefffb10
lr 0x104dc 0x104dc
pc 0xbefffa7a 0xbefffa7a
cpsr 0x200f0030 0x200f0030
after the exection, it returns -1 :
r0 0xfffffffe 0xfffffffe
r1 0x0 0x0
r2 0x0 0x0
r3 0xbefffa71 0xbefffa71
r4 0x41414141 0x41414141
r5 0x41414141 0x41414141
r6 0x41414141 0x41414141
r7 0xb 0xb
r8 0x41414141 0x41414141
r9 0x41414141 0x41414141
r10 0x41414141 0x41414141
r11 0x41414141 0x41414141
r12 0x20fe4 0x20fe4
sp 0xbefffb10 0xbefffb10
lr 0x104dc 0x104dc
pc 0xbefffa7c 0xbefffa7c
cpsr 0x200f0030 0x200f0030
then segment fault, it interpret string “/bin/sh” as instruction, then bomb….
It’s not working on gdb, one of my question is why it’s not working,
I tired this shellcode directly on target, it gives me also a segment fault, I have no idea what’s going on… can someone help me ?
Thank you !
App - System - ELF ARM - Stack buffer overflow - basic (shellcode not working !!!)
Did you try exploiting the remote service on port 61045 instead of the local binary ?