Best IT Recipes

How can I cause a buffer overflow?

I had a homework assignment asking me to call a function without calling it explicitly using a buffer overflow. The code is basically like this:

#include <stdio.h> #include <stdlib.h> void g() { printf("now inside g()!\n"); } void f() { printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) } int main (int argc, char *argv[]) { f(); return 0; }

Although I'm not sure how to proceed. I thought about changing the return address for the program counter so that it goes directly to the g () address, but I'm not sure how to access it. Anyway, the tips would be great.

+28
c stack-trace pointers buffer-overflow fortify-source
Feb 25 2018-10-25
source share
5 answers

The main idea is to change the return address of the function so that when the function returns, it continues to be executed on the new cracked address. As Niels did in one of the answers, you can declare a piece of memory (usually an array) and overflow it so that the return address is also rewritten.

I suggest that you do not blindly accept any of the programs listed here without understanding how they work. This article is very well written and you will find it very useful:

Step by Step Buffer Overflow Vulnerability

+13
Feb 25 '10 at 12:53 on
source share

It depends on the compiler, so there is no single answer.

The following code will do what you want for gcc 4.4.1. Compilation with disabled optimizations (important!)

 #include <stdio.h> #include <stdlib.h> void g() { printf("now inside g()!\n"); } void f() { int i; void * buffer[1]; printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) // place the address of g all over the stack: for (i=0; i<10; i++) buffer[i] = (void*) g; // and goodbye.. } int main (int argc, char *argv[]) { f(); return 0; }

Output:

 nils@doofnase:~$ gcc overflow.c nils@doofnase:~$ ./a.out now inside f()! now inside g()! now inside g()! now inside g()! now inside g()! now inside g()! now inside g()! Segmentation fault
+11
Feb 25 '10 at
source share

Since this is homework, I would like to echo the codeaddict suggestion to understand how buffer overflows work.

I learned the technique by reading a great (if a little outdated) article / lesson on using Smashing The Stack For Fun And Profit buffer overflow vulnerabilities.

+7
Feb 25 2018-10-25
source share

Try the following:

 void f() { void *x[1]; printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) x[-1]=&g; }

or this one:

 void f() { void *x[1]; printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) x[1]=&g; }
+3
Feb 25 '10 at 12:30
source share

While this solution does not use the overflow method to overwrite the function return address on the stack, it still calls g() to call from f() on the return path to main() by changing f() and not directly calling g() .

The epilogue -like built-in function is added to f() to change the value of the return address on the stack so that f() will return via g() .

 #include <stdio.h> void g() { printf("now inside g()!\n"); } void f() { printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) /* x86 function epilogue-like inline assembly */ /* Causes f() to return to g() on its way back to main() */ asm( "mov %%ebp,%%esp;" "pop %%ebp;" "push %0;" "ret" : /* no output registers */ : "r" (&g) : "%ebp", "%esp" ); } int main (int argc, char *argv[]) { f(); return 0; }

Understanding how this code works can lead to a better understanding of how the frame stack of functions is set for a particular architecture, which forms the basis of buffer overflow methods.

+3
Jun 18 2018-10-1820:
source share


More articles:


All Articles