stack buffer overflow

I come to you for help with this assignment I have; smashing the stack. Implement a buffer overflow attack on the program, isThisGood.c, by exploiting the input, see gets(). If exploit successful, it should invoke the function oopsIGotToTheBadFunction!

a. What is the address of the function oopsIGotToTheBadFunction()?
How did you determine this?

b. What is the address on the stack that your input must overwrite
(address and content please)? How did you locate this address?

c. What is the address of buf?

d. What is the minimum length your input, the length you need to alter
the return address stored on the stack.

e. what is your input - show it in hexa characters since some of the
input is not likely to be printable.

#include <stdio.h>
#include <stdlib.h>

int oopsIGotToTheBadFunction(void)
{
printf("Gotcha!\n");
exit(0);
}

int goodFunctionUserInput(void)
{
char buf[12];
gets(buf);
return(1);
}

int main(void)
{
goodFunctionUserInput();
printf("Overflow failed\n");
return(1);
}

>>20
Well I thank you for the effort in guiding me and giving me help. I understand this stuff a bit better because of your posts.

Many internets.

Hey guys I have made significant improvement! Here is what I have so far, but in the end I am getting a weird error.

1.I compiled using gcc -g isThisGood.c -o homework

2. I entered 'gdb homework' and 'set args AAAAAAAA'

3. Using 'info address oopsIGotToTheBadFunction', I have found out that the address of the bad function is "0x8048444"

4. Using break 'goodFunctionUserInput' I broke inside of the good function, and then I used 'info frame' and found the eip address is 0x8048468

5. Using disassem I have found that:
(gdb) disassem
Dump of assembler code for function goodFunctionUserInput:
0x08048462 <goodFunctionUserInput+0>:   push   ebp
0x08048463 <goodFunctionUserInput+1>:   mov    ebp,esp
0x08048465 <goodFunctionUserInput+3>:   sub    esp,0x18

Because push subtracts 4 from esp, and 0x18=24, the total would be sub esp, 28. Because gets() includes an extra characer, I have to subtract 1 and the total for padding would be 27.

6. So now I try to run the program (outside gdb) with the address in the argument and 27 characters for padding and this is what happens:

-bash-3.1$ ./homework 'echo $'\x44\x84\x04\x08''
AAAAAAAAAAAAAAAAAAAAAAAAAAA

Am I typing the escaped hex literal correctly? I'm not sure why I am getting this error, I believe I have done everything correctly; can anyone give me any input please?

Sorry I forgot to say that it gave me a seg fault:

-bash-3.1$ ./homework 'echo $'\x44\x84\x04\x08''
AAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

I'm also not sure if this is correct guys:

Because push subtracts 4 from esp, and 0x18=24, the total would be sub esp, 28. Because gets() includes an extra characer, I have to subtract 1 and the total for padding would be 27.

If 0x18 is 24 and push subtracts 4, wouldn't it start off as 24-4=20? Then 20+4=24, 24-1=23? I tried this also and it still gave me a seg fault.

Am I at least close now??

Can anyone help me wrap up this assignment? I'm going to bed so I will check this in the afternoon when I wake up. I'm so close and I can see the light at the end of the tunnel!

Thanks guys