8

The modern compiler GCC is so powerful that it can even prevent buffer overflow in compilation phase so that OS can not run code on stack space.

For example:

void function(char *str) 
{
   char buffer[16];

   strncpy(buffer, str, 256);
}

void main() 
{
  char large_string[256];
  int i;

  for( i = 0; i < 256; i++)
    large_string[i] = 'A';

  function(large_string);
}

The only way I can get the magic 0x41414141 is to set GCC compile parameter such like:

gcc -fno-stack-protector -z execstack stackoverflow.c -o stackoverflow

(I tested it on ubuntu 10.04 x86 lucid 32bits box)

Is there any way I can bypass the GCC stack smashing protection ?

iabdalkader
  • 17,009
  • 4
  • 47
  • 74
JustForTest
  • 289
  • 2
  • 13
  • Which limitation are you referring to, and why do you want to bypass whatever it is? – Jonathan Leffler Oct 23 '12 at 06:55
  • You want to intentionally corrupt the stack? Why? And your code has a bug, btw. You forgot to NULL-terminate `large_string`. The `strcpy()` won't be limited to just 255 bytes. – Nikos C. Oct 23 '12 at 06:57
  • I think you mean to ask if it's possible to bypass the gcc stack protection, if so you should edit the question to make that clear. – iabdalkader Oct 23 '12 at 06:57
  • 1
    @NikosChantziaras With that bug it's even better! – Alexey Frunze Oct 23 '12 at 06:58
  • @JonathanLeffler The limitation is that I can overwrite the eip register only and must set the -fno-stack-protector and execstack parameter when compile the code. Without setting the two parameters above I can not exploit the buffer overflow trick even through there is a "strcpy(buffer,str)" problem – JustForTest Oct 23 '12 at 06:58
  • You can bypass it, but the most effective way for that is to look at the generated code to see how it should be done. – Alexey Frunze Oct 23 '12 at 07:01
  • @JustForTest it's not a limitation it's a feature – iabdalkader Oct 23 '12 at 07:01
  • @mux exactly! That's what I want. Actually it is my homework that we need found the buffer overflow venerability in the C code and exploit it(run shellcode through it). The problem is that even through I found the problem in strcpy() function, I can not exploit it because the code is compiled with the gcc stack protection. – JustForTest Oct 23 '12 at 07:04
  • 1
    Then compile it without the protection. Where's the problem? – Nikos C. Oct 23 '12 at 07:06
  • @mux thanks for you edit to make the question more clear ;-) – JustForTest Oct 23 '12 at 07:07
  • @AlexeyFrunze Could you show me an solution about how to bypass the GCC stack smashing protection for this problem I met? – JustForTest Oct 23 '12 at 07:09
  • Study the assembly output from the compiler to figure out how the protection works. Use the `-S` option. – Alexey Frunze Oct 23 '12 at 07:10
  • @NikosChantziaras The problem is that I can not compile it without the protection, I need to bypass the stack protection – JustForTest Oct 23 '12 at 07:10
  • @AlexeyFrunze That bug in the code could make strcpy crash before it returns and it could also fill the stack with unexpected values (not 'A's) don't you think it should be fixed? – iabdalkader Oct 23 '12 at 07:16
  • @mux Yeah, I should've added a smiley. – Alexey Frunze Oct 23 '12 at 07:17
  • There's a bug in that example code, that will only complicate things further for you, I've made some changes to the post I think they were not committed. – iabdalkader Oct 23 '12 at 07:42
  • @mux could you send the commit again? – JustForTest Oct 23 '12 at 07:48
  • @mux why we should use strncpy() instead of strcpy()? – JustForTest Oct 23 '12 at 08:05
  • @JustForTest because you have to either null-terminate or specify the number of bytes you wish to copy from a string, otherwise, strcpy will keep on copying bytes until it reaches a null byte or crashes, and it will never return, see my above comment. – iabdalkader Oct 23 '12 at 08:09

2 Answers2

7

You should disable the stack protection when compiling:

gcc  -fno-stack-protector -z execstack stackoverflow.c -o stackoverflow

And you may want to also disable address space randomization (ASLR):

sudo sh -c 'echo 0 > /proc/sys/kernel/randomize_va_space'

Now you can try the buffer overflows, I recommend reading Smashing the Stack for Fun and Profit

Edit:

Like I said in my comment, it's safe to assume that it's acceptable in your assignment to disable the stack protection, however, if you want to bypass the stack protection you should check SOF for question related to canaries like this questions:

Is there any way to bypass SSP (StackSmashing Protection)/Propolice?

Community
  • 1
  • 1
iabdalkader
  • 17,009
  • 4
  • 47
  • 74
  • Is there a way that I can directly smashing the stack without any parameter setting? – JustForTest Oct 23 '12 at 07:15
  • Your assignment asks for exploiting a buffer overflow I think it's safe to assume that disabling the stack protection is acceptable, otherwise the problem is really much more complicated. – iabdalkader Oct 23 '12 at 07:22
  • yes, I think so. Just so curious if there is a way to bypass such powerful stack protection. In the other side, Is that right to say it is safe for a code even though there is a stack overflow hole in it since the code in stack can not be ran after the stack-protected compilation.(The worst case for such problem is program termination, the hacker can not run shellcode through it) – JustForTest Oct 23 '12 at 07:27
  • Just a minor correction: your `echo` command will not work. It should be something like `sudo sh -c 'echo 0 > /proc/sys/kernel/randomize_va_space'`. – mtvec Oct 23 '12 at 07:43
  • @Job Thanks ! I always forget that :) – iabdalkader Oct 23 '12 at 07:46
  • @mux why I can not simply echo a "0" to the randomize_va_space file? – JustForTest Oct 23 '12 at 07:50
  • @JustForTest you need to be root to do that and execute the whole command as root. – iabdalkader Oct 23 '12 at 07:57
  • @mux Hi,mux. Could you give me your email address that I want to talk more about my buffer overflow homework? – JustForTest Oct 24 '12 at 07:12
1

There are certainly ways to circumvent the stack smashing protection (called stack canaries) although it won't be easy in your example. See my answer here for some of the weaknesses of stack canaries.

Community
  • 1
  • 1
mtvec
  • 17,846
  • 5
  • 52
  • 83
  • Could you give a simple workable example for such stack canaries – JustForTest Oct 23 '12 at 07:31
  • @JustForTest: I'm afraid not. The only way to circumvent the stack canary in your example would be to overwrite it with the same value. Since there is no memory leakage vulnerability, the only way to do this is to brute force it which probably isn't viable... – mtvec Oct 23 '12 at 07:38