modify the return address to shellcode

[hadi]

i have tow C program. one is shellcode and the other vulnerable program.

i want to change the return address with out buffering the vulnerable program.

like for example:-

__asm__("movl $shellcode, 4(%ebp)");

but this method doesn't work for me, i have tried running the vulnerable program in linux with gdb and redirect shellcode to it (gdb) run vuln < shellcode but eip or ebp never change. can someone look at my shellcode program and see where's the error is.

shellcode program

Code: Select all

#include <stdio.h>
#include <stdlib.h>

void shellcode() {
__asm__(".byte 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90"); /* you may put your shellcode here */
printf("hey guyz!\n");
exit(0);
}

void bang(int val) {

__asm__("movl $shellcode, 4(%ebp)");

}

int main() {
bang(0);
}

vulnerable program

Code: Select all

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int bof(char *string) {

char buffer[1024];

strcpy(buffer, string);

return 1;
}

int main(int argc, char *argv[]) {

bof(argv[1]);
printf("Done..\n");

return 1;
}

[Brynet-Inc]

You asked this once before and the topic was locked.

[hadi]

Hi Brynet-Inc,

i asked with different method and different code. theses new.
if you have answer please share with me.

[martinFTW]

BTW I exploited sortie's dummy program and it really wasn't that hard.

[sortie]

This is not the forum for you.

Your endeavours doesn't seem linked to hobbyist operating systems development (osdev). I recommend you find another forum.

Additionally, you don't speak English well. Your post makes no sense. Improve your English. Follow your guide, I assume you have one.

I believe your problem is that you don't understand what the ELF file format is, you are piping a ELF program into the vulnerable program. This isn't how things work. You completely didn't understand your guide.

I'm happy to discuss these security matters intelligently. I don't want to answer your impossible-to-answer questions.

As last time, locked.