Long long ago in a far galaxy I've studied C\C++ languages. Few days ago I've decided to remember stuff that I knew some time ago, but common lessons with usual Hello World examples made me really bored. That is why I decided to create my own tutorials for myself... and all you guys of course. You will need some basic language understandings, because I am just going to reinvent trivial source examples. So, today I want to create a program, that will read my keyboard input and then print it out. Kind a lame, isn't it? We'll see ;) I am going to create two functions in code, first one would be MainTask function that will read my input into char array which is 5 symbols size, and then will print that array to a screen. The second function LazyBastard will just print out any simple line, for example: "You made this lazy function to work!". Everything seems kind a trivial for now, rigth? I would add some extra task. In the main function I will call only MainTask function. LazyBastard will not be called anywhere in the code, but I want to make it work without referencing it in the source! So take a look at source, it should be more clear to you now. #include "stdio.h" Now lets compile it. This is very sensitive step. All next results will depend on it. I am using 32 bit Linux OS with 4.5.7 gcc compiler. I compile my code with line gcc -fno-stack-protector -ggdb -o test test.c . Here -fno-stack-protector will make compiler to allow as to overflow buffer. -ggdb is a dirrective that will make our program much more understandable during disassembling. After you compile this code, lets try to run it: $ ./test bla1 bla1 $ So it seems like our program works. I enter bla1 and it prints bla1. But we set max size of the buffer variable to 5. What if it will be exceeded? Lets try. $ gdb -q ./test What we see here? First we save ebp register in stack, then we move stack address into ebp register. After that we allocate 0x28 bytes (40 bytes) for the stack frame. Then goes the buffer variable lea eax, [ebp-0xd]. That means that compiler allocated 0xd bytes for buffer variable to store its data. So, to make overflow error we just need to enter a line that is longer than 13 ASCII charracters. If you add here 4 symbols to overwrite a stack address and then add an address of the LazyBastard function after all this, LazyBastard will be called after the MainTask function. First lets get address of the LazyBastard function: (gdb) disas LazyBastard We see that LazyBastard is located in address 0x0804843c. So lets cook a line, that will overflow a stack in MainTask function and call LazyBastard for us. First we need a 13 + 4 bytes string. It would be: 123456789overflow Now we need to add address of the LazyBastard to the end of the string. In 32 and 64 bits processors all the data is saved in reverse order. So address [0 x |08|04|84|3c|] need to be reversed to |3c|84|04|08| . These are for bytes that will represent an address of LazyBastard in our payload. To send this payload to our function we need as a binary string we need to use some tool. In linux bash common printf tool would be enough. So now lets run our code with payload: printf "123456789overflow\x3c\x84\x04\x08" | ./test And we did it! Our lazy bastard had to work this time. We took our stack overflow under control. Was it interesting? Please, ask here what you did not get so I can correct this article. If you liked it, click the banner below so I can get some reward for it.
0 Comments
Leave a Reply. |
NoticeI have removed Russian content from my website and now will post articles in English only. This is not because of some politics, Russian speaking people you are great, but just it is very hard to support bilingual web site in Weebly. For those who read my articles as usual I ask to click on a single advertisement banner on my web site. This gives me some credits and is free of charge for you. Archives
August 2016
Categories
All
|