Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

buffer overflow vulnerabilities

Name: Anonymous 2009-02-18 20:46

void f ( char * s ) {
    gets ( s );
}

int main () {
          char input [100]
          f ( input )
}

The input here isn't checked. If you enter more than 100 characters as input to this program, you can overwrite certain offsets of the stack. I'm told that you can overwrite it in such a way that the return address of gets() is overwritten to point to the beginning of input[], and you can craft the first 100 chars of input to be machine code, so then once gets() returns it executes your machine code.

The concept is pretty simple to understand, but I'm having some trouble grasping how exactly I would do that. Could a more knowledgeable person than myself help me understand how to do that?

For example, how would I craft the input to this program so that it prints "123"? Do I have to be familiar with x86 asm to be able to do this? (100 chars might not be enough, I don't know).

Thanks in advance for any help.

Name: Anonymous 2009-02-18 21:29

>>6
It's not that hard either:

all he has to do is overwrite the return address while overflowing that buffer. Providing he can predict his location on the stack and return to the stack, then he can just have some code which calls printf with a "123" string. Things required to do this usually include:

0)Good knowledge of target CPU
1)Understanding stack frames
2)Understanding the specific stack frame of the function you're exploiting
3)Understanding how to bypass various system and anti-overflow protections, such as security cookies on some safe MSVC built software, No Execute/DEP, Vista's heap/stack/process address space randomization,*nix specific heuristic based shellcode detection tools (for attempting to catch unknown exploits). Only needed when you know they are in use. Bypassing some can be quite complex, but almost always possible. For example, bypassing NX flag on the stack is possible by returning into known library code, which in turns returns to run your code, sometimes this will have to be written on a per-target basis if you want to be able to defeat the other security feats too.
4)Learn to write shellcode, this means know your asm, and be able to do various trickery with it, such as self-modifying/self-decrypting/self-contained/base-independent code. There are some newbie friendly shellcode generators out there for the lazy.

This is nothing hard in itself, but do you really need to do this?
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -