Clever Geek Handbook

Buffer overflow successful, but shouldn't it be?

This is my program with a vulnerable char buffer, name [400].

void greeting(char *temp1,char *temp2)
{
    char name[400];
    strcpy(name,temp2);
    printf("Hello %s %s\n", temp1, name);
}

int main(int argc,char *argv[])
{
    greeting(argv[1],argv[2]);
    return 0;
}

Compiled on Linux (64-bit) with ASLR disabled:

gcc -m32 -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack -o buffer buffer.c

(gdb) run Mr `perl -e 'print "A" x 400'`
Hello Mr AAAAAAA.... (truncated)
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

(gdb) info reg eip ebp
eip            0x41414141
ebp            0x41414141

I am assuming a null byte has been added causing an overflow, but I don't understand how EIP can be 0x41414141 with only 1 byte overflow?

EDIT: After looking more closely with gdb, no null byte is added, and no overflow occurs at all when only 400 bytes are input. So how does my EIP end up pointing to the contents of my buffer without any overflow? My guess is that the lack of a null byte is causing problems for printf ().

+3


source to share


1 answer


Line

C is NUL

complete, so you end up with a 1-byte overflow with a value of zero ( NUL

).

A one-byte overflow NUL

modifies the stored value $ebp

to point lower on the stack than needed. This leads to the restoration of the wrong value in $esp

and control $eip

.

Pay close attention to the meaning ebp

. After the call, the value $ebp

remains unchanged, but the value it points to (the value it main

restores from the stack) has been adjusted to point to the middle of our monitored buffer.

When you greeting

return to main, nothing happens. However, when main

restoring a stack frame using an instruction leave

, the stack pointer is $esp

set to the middle of our monitored buffer. When a command is executed ret

, we have control over $eip

.

Note that I used the pwntools generated looping pattern and not the default AAAAA

one as we can use it to calculate the offset. For example, 'aaaa' => 0, 'aaab' => 1, 'aaba' => 2.

Before Strcpy

EBP: 0xffffc6e8 --> 0xffffc6f8 --> 0x0 
ESP: 0xffffc54c --> 0xffffc558 --> 0xffffc5c8 --> 0xf63d4e2e 
EIP: 0x8048466 (<greeting+25>:  call   0x8048320 <strcpy@plt>)

After Strcpy



EBP: 0xffffc6e8 --> 0xffffc600 ("raabsaabtaabuaabvaabwaabxaabyaab"...)
ESP: 0xffffc54c --> 0xffffc558 ("aaaabaaacaaadaaaeaaafaaagaaahaaa"...)
EIP: 0x804846b (<greeting+30>:  lea    eax,[ebp-0x190])

Until leave

inmain 

EBP: 0xffffc600 ("raabsaabtaabuaabvaabwaabxaabyaab"...)
ESP: 0xffffc6f0 --> 0xffffc9bb ("Mister")
EIP: 0x80484b1 (<main+39>:      leave)

After leave

in the main

EBP: 0x62616172 (b'raab')
ESP: 0xffffc604 ("saabtaabuaabvaabwaabxaabyaabzaac"...)
EIP: 0x80484b2 (<main+40>:      ret)

In ret

the main

EBP: 0x62616172 (b'raab')
ESP: 0xffffc608 ("taabuaabvaabwaabxaabyaabzaacbaac"...)
EIP: 0x62616173 (b'saab')
+2


source






More articles:


All Articles