CODEWITHSUNDEEP
cunixbufferbuffer-overflowexploit
GKoo
GKoo

Reputation: 59

Simple Buffer Overflow

I have an exercise that asks of me to produce a seg.fault. In my understanding i can do that by overflowing the buffer. So all i need to do is provide an input(Name) bigger than a certain size(covering the return address). So if buf,i and c hold 52 Bytes and ebp 4,then the return address should be after 56 bytes. So if i give an input bigger than 56, it should produce a seg.fault. Is my thinking correct ? I tried with those numbers but it still runs and exit correctly.(UNIX-32bit)

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

#define BUFSIZE 44

char grade = '3';
char Name[BUFSIZE];

void readString(char *s) {
   char buf[BUFSIZE];
   int i = 0;
   int c;

   while (1) {
      c = fgetc(stdin);
      if ((c == EOF) || (c == '\n'))
         break;
      buf[i++] = c;
   }
   buf[i] = 0;

   for (i = 0; i < BUFSIZE; i++)
      s[i] = buf[i];

   return;
}

int main(void) {
   mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
            PROT_READ | PROT_WRITE | PROT_EXEC);

   printf("What is your name?\n");
   readString(Name);

   exit(0)
}

Upvotes: 1

Views: 313

Answers (2)

Nightkids_008
Nightkids_008

Reputation: 1

in my opinion,the stack was word aligned,if your buf[BUFSIZE],it will have a hole with the local i and c variable.it's disassembly code like this:

  4005d4:   55                      push   %rbp
  4005d5:   48 89 e5                mov    %rsp,%rbp
  4005d8:   48 83 ec 50             sub    $0x50,%rsp
  4005dc:   48 89 7d b8             mov    %rdi,-0x48(%rbp)
  4005e0:   c7 45 f8 00 00 00 00    movl   $0x0,-0x8(%rbp)

it's stack create 90 bytes,so u want to change rbp must input a lot. so if u want change the other value like rbp,u must input more than 64. unfortunately,it may didn't work,because when u go through the i location,your input value will change the i value,so the buff[i++] may not the position u want.so the best way to change rpb is just jump through the stack which subed in the first.

Upvotes: 0

jaket
jaket

Reputation: 9341

This bit of code is protecting you from a segfault.

for (i = 0; i < BUFSIZE; i++)
      s[i] = buf[i];

You may run off of the end of the buf array but that is on the stack.

Why not just this?

*(int*)(0x00000000) = 0;

Upvotes: 1

Related Questions