Buffer overflow
hi i am doing a huge project and a part of it is like a pre assignment can anyone explain how to do this or give me a website to read about this
i need to use gdb and Your task is to determine the input
(attack payload) that a user might give to the program so that the computer executes the goodPassword() function (instead of always executing the badPassword() function) granting admin 2 privileges to the user
There is no programing needed i just need to use hex editor and change some bytes
Thanks
i need to use gdb and Your task is to determine the input
(attack payload) that a user might give to the program so that the computer executes the goodPassword() function (instead of always executing the badPassword() function) granting admin 2 privileges to the user
There is no programing needed i just need to use hex editor and change some bytes
Thanks
|
|
Last edited on
The way I would try this is by first finding the getName function. You know the buffer is 14 bytes long and after that a buffer overflow will occur which will write the trailing bytes over code, you will need to calculate where that x+5 is and change that +5 to something else.
It has been a long time since I were into this stuff. I hope others can assist you further I'd like to see some comments on it.
It has been a long time since I were into this stuff. I hope others can assist you further I'd like to see some comments on it.
If you could post code that actually compiles, that would be great.
@megatron 0: that's not quite. Inspecting in gdb shows that the 'x' parameter is before 'buf'
The clue comes from
> the computer executes the goodPassword() function
looking at the code, there is no call to `goodPassword()', you need to overwrite the program counter with its address.
edit: I may have worded incorrectly.
Before calling the function, the program counter is pushed onto the stack (so you know where to return) then the stacks grows to allocate the parameters and local variables of the function.
When the function returns, the stack shrinks (destroys the local variables) and the program counter is popped from the stack.
So you make a buffer overflow, overwriting the stack, so when the function returns it would go to where you want.
@megatron 0: that's not quite. Inspecting in gdb shows that the 'x' parameter is before 'buf'
The clue comes from
> the computer executes the goodPassword() function
looking at the code, there is no call to `goodPassword()', you need to overwrite the program counter with its address.
edit: I may have worded incorrectly.
Before calling the function, the program counter is pushed onto the stack (so you know where to return) then the stacks grows to allocate the parameters and local variables of the function.
When the function returns, the stack shrinks (destroys the local variables) and the program counter is popped from the stack.
So you make a buffer overflow, overwriting the stack, so when the function returns it would go to where you want.
Last edited on
so how should i find where to change the bytes in hex editor i have the x86 do i have to look for where goodpassword function is and what bytes to change and to what ?
oh and sorry the return 0; was missing that code should compile i had to disable stack protection
oh and sorry the return 0; was missing that code should compile i had to disable stack protection
Last edited on
> oh and sorry the return 0; was missing
you have `Void', it should be `void'
there are some missing semicolons too.
> so how should i find where to change the bytes in hex editor
perhaps I misread you. You are not supposed to change the program or its executable.
You simply should provide the user input
As to how to know what to change and to what.
When you call `getName()' you know that the program counter (PC) gets into the stack. You also know that the PC has a value near main, so you could try reading from `buf' looking for that value
This is an example run
(the bold numbers are quite close, note the endianness)
Then you simply count how long the string should be to overwrite the PC. I'm sorry, but cannot explain this length.
So you simply fill the input until that point and then write the address of the `goodPassword()' function that you may obtain doing (inside gdb)
(be careful with the endianness)
You'll need an hex editor to be able to write those hexadecimals numbers, and output redirection.
I've used echo
you have `Void', it should be `void'
there are some missing semicolons too.
> so how should i find where to change the bytes in hex editor
perhaps I misread you. You are not supposed to change the program or its executable.
You simply should provide the user input
As to how to know what to change and to what.
When you call `getName()' you know that the program counter (PC) gets into the stack. You also know that the PC has a value near main, so you could try reading from `buf' looking for that value
This is an example run
$ gcc -ggdb bar.c
$ gdb a.out
> break getName
> run
Breakpoint 1, getName (x=5) at bar.c:10
> print main
$1 = {int ()} 0x40063c <main>
> print /x *buf@40
$2 = {0xe0, 0x4, 0x40, 0x0 <repeats 13 times>, 0xf0, 0xdd, 0xff, 0xff, 0xff, 0x7f, 0x0, 0x0, 0x58, 0x6, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0xd0, 0xde, 0xff, 0xff, 0xff, 0x7f, 0x0, 0x0}
|
Then you simply count how long the string should be to overwrite the PC. I'm sorry, but cannot explain this length.
So you simply fill the input until that point and then write the address of the `goodPassword()' function that you may obtain doing (inside gdb)
> print goodPassword
$3 = {void ()} 0x400617 <goodPassword> |
You'll need an hex editor to be able to write those hexadecimals numbers, and output redirection.
I've used echo
$ echo -e "electroencefalografista\x0\x17\x6\x40" | ./a.out Enter your name: Great Success! You Earned admin 2 privilges |
thanks really appreciate it and sorry i changed the mistakes on my computer but not here
What is this topic is there a book or pdf file to read more about this
What is this topic is there a book or pdf file to read more about this
Last edited on
@ne555
That's a great post. I might try and start hacking my own programs. I feared I were wrong and I don't like pointing people in the wrong direction, I'm glad you could help him.
That's a great post. I might try and start hacking my own programs. I feared I were wrong and I don't like pointing people in the wrong direction, I'm glad you could help him.
Topic archived. No new replies allowed.