Modifying the rsp stack pointer

Question

I am trying to place a format string exploit but am unclear as to how this works exactly. In this code I am trying to overwrite the stack pointer with the address of my choice. I am sending this address in an input argument.

int main(int argc, char* argv[])
{
   cout<<"In main"<<endl;    
   char outbuf[10];
   char buffer[10];
   sprintf (buffer, "%4s", argv[1]);
   sprintf (outbuf, buffer);      
   return 0;
}

Now, on passing run "``python -c "print '%24d' + '\x9a\x08\x40\x00\x90\x90\x90\x90\x90\x90ABCDEFGHIJJKLMNOPQRST'"``" in gdb, I am able to corrupt the return address of the main function to 0x909090909040089a. I need my return address to get pointed just to 0x40089a though. I have tried appending nop commands as above and \0 as well but nothing seems to have worked. Kindly explain as to how make this work.

Answer 1

If you disassemble your program, you will find that at some point it: (1) might load rsp from a stack location, depending on compiler & options. (2) loads rpc from a stack location via a ret instruction.

You need to get the value loaded in (2) to point to the code you want it to execute. Your attempt seems to centre on the string in argv[1]; which may not be possible (see below); but changing the length of the program argument (or environment vars) may change the address that argv[1] is at. Once you know these, values, you need to construct an argv[1] that over-writes the location in (2) with the address of the code you want to execute.

(below): some cpus/os’s have a mechanism to prevent you from executing addresses outside of the .text section. If you are on one of these architectures, you will need to disassemble the program and shared libraries to find a code sequence that does what you want, then construct your argv[1] string to transfer control to this location.

Since you are just doing this for kicks, try to turn off those options, otherwise what you want to do is a lot more work for little increased joy.