Exploiting buffer overflow leads to segfault
Your memory address 0xbffff880 is most likely non-executable, but only read/write. There are a couple of ways you can overcome this.
- If that is a stack address you can use
-z execstackwhile compiling. This will essentially make the entire stack memory executable. - For a more robust solution you can write the shellcode to call mprotect on the address you are writing to.
For example, the following line will mark address 0xbffff880 as read/write/executable.
mprotect((void*) 0xbffff880, buffer_len, PROT_READ | PROT_WRITE | PROT_EXEC);
-fno-stack-protector does not mean that the stack will be executable. It only disables other security features such as canaries or stack cookies. If these values are overwritten (with a buffer overflow) when they are checked the program will fail. This would not enable the execution of your buffer.
As RoraZ said, your stack is not executable. To expand on that, buffer overflow exploit like that will not work on a modern linux box unless the binary is compiled to allow such shenanigans. You will need to disable a number of security features; RELRO, STACK CANARY, NX, PIE.
There is a nice bash script called checksec.sh (http://www.trapkit.de/tools/checksec.html) that can help you check the binary, for example:
The way I compile a binary for x86 buffer overflow test:
gcc -m32 -g -mpreferred-stack-boundary=2 -no-pie -fno-stack-protector -Wl,-z,norelro -z execstack ./program.c
- -no-pie: disable PIE (position independent executable)
- -z execstack: to disable NX (making stack executable)
- -Wl,-z,norelro: disable RELRO (readonly relocations)
- -fno-stack-protector: remove stack protection (stack overflow security checks)
And for convenience:
-g: add debugging
-mpreferred-stack-bounary=2: align stack on 4-byte boundary