CODEWITHSUNDEEP
cbuffer-overflowexploitshellcode
Nych
Nych

Reputation: 78

buffer overflow exploit change function call

I am trying to perform a buffer overflow to change the call from function A to function B. Is this do-able? I know I will have to figure out how many bytes I have to enter until I have control over the return pointer, and figure out the address of function B. Is it possible to alter it so that after "x==10" we inject function B's address instead of functionA? Edit: Is it possible that after fillbuff is called, instead of returning to main, we send it to function B? Any hints is appreciated.

int fillBuff(int x){
    char buff[15];
    puts("Enter your name");
    gets(buff);
    return(x + 5);
}

void functionA(){
    puts("I dont want to be here");
    exit(0);
}
void functionB(){
    printf("I made it!");
    exit(0);
}


int main(){
    int x;
    x = fillbuff(5);
    if (x == 10){
        functionA();
    }
}

Upvotes: 1

Views: 6222

Answers (2)

ViniciusArruda
ViniciusArruda

Reputation: 990

Here is an article that shows how to do it: http://insecure.org/stf/smashstack.html.

Compile your program like this: gcc -g -c program.c (with the -g) and run gdb ./a.out. After, run the command disas main. You should see the disassemble of your code and how it is organized in your memory. You can replace the main function to any other function and see its code. For more information about disassemble see: https://sourceware.org/gdb/onlinedocs/gdb/Machine-Code.html

enter image description here

Running GDB and disassembling the functions on my computer, the address of functionA() is 0x400679 and the address of functionB() is 40068a. If you see the disassemble code of main function, there is a call to the address 0x400679, and what you want is to change it to 40068a. Basically, you have to overflow the buffer in function fillBuff and after reaching the space of the pointer, you have to fill with the address. The article shows how to do it.

Upvotes: 2

Bobby Sacamano
Bobby Sacamano

Reputation: 540

Buffer overflows are undefined behavior in C. Nothing is guaranteed to occur when you buffer overflow, and as far as I'm aware the language doesn't require a specific memory layout for local variables and/or stored return addresses. In addition to this, some compilers insert stack protectors to make buffer overflow attacks more difficult.

If you want to have defined behavior, you are going to need to look at the assembly produced and figure out what a buffer overflow is going to do. Based on the assembly produced, you can determine the stack layout and the address layout and try to overwrite the return address with a different function's address.

If you're using GCC, the command line option to print out the assembly is -Wa,-al. If you want Intel syntax, add -masm=intel.

Upvotes: 0

Related Questions