stack buffer overflow

I come to you for help with this assignment I have; smashing the stack. Implement a buffer overflow attack on the program, isThisGood.c, by exploiting the input, see gets(). If exploit successful, it should invoke the function oopsIGotToTheBadFunction!

a. What is the address of the function oopsIGotToTheBadFunction()?
How did you determine this?

b. What is the address on the stack that your input must overwrite
(address and content please)? How did you locate this address?

c. What is the address of buf?

d. What is the minimum length your input, the length you need to alter
the return address stored on the stack.

e. what is your input - show it in hexa characters since some of the
input is not likely to be printable.

#include <stdio.h>
#include <stdlib.h>

int oopsIGotToTheBadFunction(void)
{
printf("Gotcha!\n");
exit(0);
}

int goodFunctionUserInput(void)
{
char buf[12];
gets(buf);
return(1);
}

int main(void)
{
goodFunctionUserInput();
printf("Overflow failed\n");
return(1);
}

buffer overflow my butt hole!

Do your own homework

If you can't do this yourself you will never be anything more than a shit-tier programmer.

>>4

What if he is setting his goal to be a lol-tier programmer? Don't crush his dreams!

test

Sorry I'm not very good at programming; this is my first time doing any sort of thing like this. All I'm asking for is a little bit of guidance... anyways:

I have used objdump -D to figure out the address I am supposed to be jumping to is 0x08048444. I just am not sure how to figure out the address of the char var 'buf'. When I try to do anything in gdb it shows up "symbol table not found" or when i try to do x/4w $esp, or the like, it comes up saying "No Registers". I have figured out though that it takes 15 characters to throw a segmentation fault.

I am trying to do my own homework, but I need guidance. I'm taking an online class and the teacher went over a few things and then threw this homework at us while never even explaining what gdb was. I've had to look at many tutorials on youtube and even then it's really hard to figure this out.

There is a call in the assembly dump that says (at address 0x080484ba) "call 8048462 <goodFunctionUserInput>" which i'm assuming is the address that I need to replace so that it will run the "oopsIGotToTheBadFunction"; is this correct? Link to assembly dump: http://pastebin.com/L1N7DkUs

I'm still confused on how to figure out what address "buf" is out using the assembly dump. I also was wrong, it takes 16 characters to throw a segmentation fault.

Please, any help is appreciated.

sigh... simple steps, where is the memory addressed by the symbol bud allocated?

i'm not sure, would i be able to tell from the assembly dump i provided?

>>1,8,9

You have to load the buf buffer with the address of the oopsIGotToTheBadFunction function.

buf is a local variable inside the good function (I'm tired of writing those stupid names). Therefore, it exists inside a stack frame. Somewhere after the local variables on the stack frame, there is a return address for that function. Memory is laid out sequentially.

Now, if only you could find a way to scribble over the return address of the good function and replace it with a call to the bad function, instead of a having it jump back in place inside main()...

Since you probably don't understand what those terms mean intuitively, you need to go do some learning on your own. I'm not going to write code for you, nor am I going to answer your questions for you.

Your first step begins with learning to use a debugger. Ollydbg on Windows is fine. I've only used gdb on Linux, but it'll work for small things (I wouldn't want to try reversing with gdb), including this assignment. For example, trying to view the stack pointer when there's no program running or paused at a breakpoint will cause it to show up as empty.

Your next step is to learn about the stack. Try Wikipedia (http://en.wikipedia.org/wiki/Call_stack#Structure).

Finally, gcc (and presumably other compilers, though I don't have anything else to verify this with) has some nice things built in to make stack smashing more difficult for you. You'll need to disable those when they become a problem. A quick Google search will suffice.

The classic paper on this topic is http://insecure.org/stf/smashstack.html

This has nice pictures: http://en.wikipedia.org/wiki/Stack_buffer_overflow

Deep understanding of this stuff requires knowledge of x86 ASM (assuming you're on that platform) and how it interacts with high(er)-level languages, namely, C. Any class that attempts to make you an expert in that in a semester with some shitty assignments like this one is stupid. Focus on getting the exploit to work (and yes, I was able to get it to work).

Merry Christmas

>>12

The first sentence should be,

"Load the space somewhere after buf with the address of the oopsIGotToTheBadFunction function."

To be honest I understand what you are saying. I know what I have to do, it's just how to find the information in the dump and using gdb is what I'm having trouble with. I am taking a software security class online and my instructor gave us some information on memory allocations and then dumped this assignment on us and made it due in a relatively short time. He had never once explained anything about how to read the dump or use gdb so that is why I am having trouble. I need to finish this assignment because I am hoping to graduate next saturday and this is the last class I am taking haha.

I realized I was goofing whenever it says "no registers" because I was trying to view the registers before I even ran the program to fill the buf.

Okay so I put printf("buf variable is located at 0x%p\n", buf); line in and it prints out "buf variable is located at 0x0xbf89c2ec". If that is correct then I now know the location of the buf buffer

>>14,15

Each time you recompile the program, buf will be at a different spot.

You don't need a printf() thrown into your code to find it. In fact, if you figure out how to read a certain something you've already posted, you'll not only know where buf is, you'll understand how to do the exploit.

Also, to keep yourself sane, try using set dissassembly-flavor intel in gdb.

gdb
Why use such a hunk of shit? You guys realize that all of Intel's software development tools are free on Linux (for "non-commercial" use)? That includes idb and fucking VTune. Shit, it's the only reason I have Linux on my hard drive.

Right I know that buf will be different each time I compile it, but the printf() was the easiest way for me to find it because I'm not very good at reading the assembly dump. I've never dealt with something like this before and our professor never talked about it and then just tossed us an assignment. That's why I'm having such a difficult time with this.

Also I know about the "set dissassembly-flavor intel", but it doesn't help because it constantly says something about "no symbol table found" whenever i try to do anything. And I'm still getting "no registers" even after I have ran the program, I don't get it.

In case I haven't said it, I really do appreciate the help that you have been giving me.

>>17

It's not up to me. It's what my instructor told us to use. If I was better at doing this stuff, I would definitely be using something that was better; but I'm a complete noob and doing buffer overflows or anything like this. Sorry :(

>>17
Like the tools make a fucking difference in this case. It's a basic buffer overflow, not reversing an encrypted binary with copy protection. Besides, it takes about a day to learn gdb on the level needed for this assignment, despite gdb being annoying and somewhat useless. If anything's messed up, it's this guy's install of gdb. Fuck off.

>>18
All I can post tonight is that, first and foremost, you need to work on getting the debugger working and figure out how to use the debugger properly (and yes, you can use gdb for this assignment). Go try and read some of the stuff I gave you.

Draw diagrams of the memory layout and so forth.

>>20
Well I thank you for the effort in guiding me and giving me help. I understand this stuff a bit better because of your posts.

Many internets.

Hey guys I have made significant improvement! Here is what I have so far, but in the end I am getting a weird error.

1.I compiled using gcc -g isThisGood.c -o homework

2. I entered 'gdb homework' and 'set args AAAAAAAA'

3. Using 'info address oopsIGotToTheBadFunction', I have found out that the address of the bad function is "0x8048444"

4. Using break 'goodFunctionUserInput' I broke inside of the good function, and then I used 'info frame' and found the eip address is 0x8048468

5. Using disassem I have found that:
(gdb) disassem
Dump of assembler code for function goodFunctionUserInput:
0x08048462 <goodFunctionUserInput+0>:   push   ebp
0x08048463 <goodFunctionUserInput+1>:   mov    ebp,esp
0x08048465 <goodFunctionUserInput+3>:   sub    esp,0x18

Because push subtracts 4 from esp, and 0x18=24, the total would be sub esp, 28. Because gets() includes an extra characer, I have to subtract 1 and the total for padding would be 27.

6. So now I try to run the program (outside gdb) with the address in the argument and 27 characters for padding and this is what happens:

-bash-3.1$ ./homework 'echo $'\x44\x84\x04\x08''
AAAAAAAAAAAAAAAAAAAAAAAAAAA

Am I typing the escaped hex literal correctly? I'm not sure why I am getting this error, I believe I have done everything correctly; can anyone give me any input please?

he's lucky he doesn't have to compile with -fPIC.

>>21
I want to draw a diagram of my penis in your cudder, ``Cudder''.

Sorry I forgot to say that it gave me a seg fault:

-bash-3.1$ ./homework 'echo $'\x44\x84\x04\x08''
AAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

I'm also not sure if this is correct guys:

Because push subtracts 4 from esp, and 0x18=24, the total would be sub esp, 28. Because gets() includes an extra characer, I have to subtract 1 and the total for padding would be 27.

If 0x18 is 24 and push subtracts 4, wouldn't it start off as 24-4=20? Then 20+4=24, 24-1=23? I tried this also and it still gave me a seg fault.

Am I at least close now??

Can anyone help me wrap up this assignment? I'm going to bed so I will check this in the afternoon when I wake up. I'm so close and I can see the light at the end of the tunnel!

Thanks guys

>>17
Fuck off, freedom hater.

>a. What is the address of the function oopsIGotToTheBadFunction()?

dump the global object table and search for the name of the function

b. What is the address on the stack that your input must overwrite (address and content please)? How did you locate this address?

The return address, you locate it knowing your calling conventions

c. What is the address of buf?

start of the data part of the stack of the function that contains it

d. What is the minimum length your input, the length you need to alter the return address stored on the stack.

Make a little drawing and calculate it, see www.agner.org/optimize/calling_conventions.pdf

e. what is your input - show it in hexa characters since some of the input is not likely to be printable.

Do this on paper with the debugger open, should be just a little modification

>>22,23,26,27

>>20 here.

You're close.

Why are you worrying about command line args? You don't have an argv to overflow. All you have is the call to gets().

>>30
Sorry the code has been changed since OP, so i do use argv now:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int oopsIGotToTheBadFunction(void)
{
printf("Gotcha!\n");
exit(0);
}

int goodFunctionUserInput(char ret[])
{
char buf[12];
gets(buf);
strcat(buf, ret);

return(1);
}

int main(int argc, char *argv[])
{
char ret[8];
strcpy(ret, argv[1]);

goodFunctionUserInput(ret);
printf("Overflow failed\n");
return(1);
}

I have all the information I need, I just can't get it to overflow the buffer correctly and thus I am stuck. Any help would be greatly appreciated!!!

Anybody? I'm going to be leaving for work in an hour and I have to have this completed and turned in by the time I leave since it is due this afternoon. Since I have a lot of it I will get about half the points, but he requires a working compilation in order to receive full credit and I would really like to get full credit on this assignment.

Please guys? :(

>>31
Why'd the code change? Did you change it, or did the teacher/professor?

My hint to you is to look at how a stack frame is arranged, like I tried to get you to do earlier.

The other guy in my class that I was working on changed it. It doesn't matter anymore man. I'm going to work in 20 minutes and I'm turning in what I have so far right now anyways. It doesn't matter if I look at how a stack frame is arranged, because I don't know what to look at to help me better understand it, oh well.

I appreciate the help, but it looks as if I won't be getting full points on this assignment.

>>34
So be it! Don't get full points on this assignment.

>>35
I know I know. But I guess I'm just worried because this is the last class I'm taking and I graduate next saturday, so I just really wanted to get as many points as possible so I didn't have to worry about possibly not passing the class; and then having to retake another entire semester.

We still have one more assignment & test left, so hopefully I can do well on those. I'm sure I will be posting soon for guidance on the next one lol.

Thanks for all the help man.. this has at least perked my interest and has made me want to actually learn how to perform a stack buffer overflow.

You should have asked this on Enterprise Overflow. Some faggot with ``150k'' would have written a ten page explanation that you could just ^P and get an A.

>>37
Someone should have told me about that then... i've never heard of Enterprise Overflow, lol.

>>34
The point was that the return address is before the arguments in the stack frame. i.e., you only had to worry about overflowing gets() and putting the right address after that. argv didn't matter at all (I don't know why your classmate added that...the point was to exploit the program as-is). The only thing you had missing was getting the correct arithmetic for the amount of bytes needed for overflow (which you can pick up from the assembly). That's why I told you to look at a stack frame.

The correct exploit was to pass any number of characters as the command line argument (so long as it didn't segfault), and to enter some number of characters followed by the correct address to stdin. That's it.

>>35 is not me, nor is >>37

>>39
Me neither.

>>39
Oh well, I tried. I couldn't figure out the amount of characters to send; but I had all the other information figured out.

Hopefully I get something for this assignment because I really did try. I appreciate the help though!

>>41
Did you turn off stack cookies in your compiler? A lot of compilers or OS's guard against buffer overruns now.

Did anyone say stack cookies?

om nom nom nom

>>41
Well, I saw you passing the address as an argument instead of putting it in the stdin.

>>42
Eh, I mentioned that in one of my posts to him. No idea if he listened. He might be using an environment provided by the class, though.

What's a buffer overflow? I use a real programming language, not ``the PDP-11 assembler that thinks it's a language'' with funny-looking syntax.
for(;P("\n"),R--;P("|"))for(e=C;e--;P("_"+(*u++/8)%2))P("| "+(*u/4)%2);