Reputation: 6162
Unable to get buffer overflow working
I am trying to learn about buffer overflow attacks and wanted to see a working demo of the same. I have been following many online resources to understand the same. For example, this has proven really helpful so far.
I understand the concept of buffer overflow clearly, however, I am unable to get the demo working. I am on a 64-bit Mac, running 32-bit Ubuntu in VirtualBox (the machine where I am experimenting with buffer overflow). I have disabled ASLR on Ubuntu for the sake of playing around with the buffer overflow.
I have a simple C program, demo.c, taken from the video link mentioned above :
# include<stdio.h>
CanNeverExecute()
{
printf("I can never execute");
}
GetInput()
{
char buffer[8];
gets(buffer) ; // the vulnerable function
puts(buffer);
}
main()
{
getInput();
return 0;
}
I have tried all the below variations to compile the program as:
gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack -o demo demo.c
gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -o demo demo.c
gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack -m32 -o demo demo.c
The idea is to overwrite the return address on the stack with the address of the CanNeverExecute() by exploiting the gets(). The address of CanNeverExecute turns out to be 0x0804847b
To do so, I have tried the following:
printf "123456789abc\x7b\x84\x04\x08" | ./demo
echo -e "123456789abc\x7b\x84\x04\x08" | ./demo
python -c 'print "a"*12 + "\x7b\x84\x04\x08"' | ./demo
where 12345678 is to fill up the buffer space, 9abc is to overwrite the value of ebp stored on the stack and finally the return address stored on the stack is overwritten with the address of CanNeverExecute()
Ideally, what I expect (as also shown in the demo link above) is the CanNeverBeExecuted() getting executed and the message in it being printed.
But contrary to the expectation, in all of the above cases, I get a "segmentation fault(core dumped)" with the following printed on the terminal :
123456789abc{,,[some_unprintable_character]
The CanNeverBeExecuted() does not get executed.
What am I missing ? What needs to be changed ? Please help.
Upvotes: 2
Views: 459
Answers (1)
Reputation: 20631
Your "CanNeverExecute" function is executing, but you're not seeing its output. Change it to:
CanNeverExecute()
{
printf("I can never execute\n");
fflush(stdout);
}
The problem is that the program crashes before the output buffer is flushed.
Upvotes: 4
Related Questions
- buffer overflow attack works when compiled using clang but not when compiled using gcc
- Prevent segmentation fault in buffer overflow demonstration in Ubuntu 12
- what's happened when process is attacked by "stack buffer overflow"?
- Buffer Overflow, modified Seedlab question?
- Buffer overflow not working (shellcoders handbook)
- Using strcpy & buffer overflow to execute shell code
- Experimental buffer overflow in Ubuntu 10 (assembly)
- Weird execution path caused by stack buffer overflow
- buffer overflow problem