-6

I am reading a book titled Hacking: The Art of Exploitation, and I have a problem with the section Stack-Based Buffer Overflow Vulnerabilities. I am following the instructions given by the author, but I don't get the expected results.

First, here is the program auth_overflow2.c, copied from the book:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int check_authentication(char *password) {
   char password_buffer[16];
   int auth_flag = 0;

   strcpy(password_buffer, password);

   if(strcmp(password_buffer, "brillig") == 0)
      auth_flag = 1;
   if(strcmp(password_buffer, "outgrabe") == 0)
      auth_flag = 1;

   return auth_flag;
}

int main(int argc, char *argv[]) {
   if(argc < 2) {
      printf("Usage: %s <password>\n", argv[0]);
      exit(0);
   }
   if(check_authentication(argv[1])) {
      printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
      printf("       Access Granted.\n");
      printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
   } else {
      printf("\nAccess Denied.\n");
   }
}

This is a copy of my Ubuntu terminal:

(gdb) break 19

Breakpoint 1 at 0x40077b: file auth_overflow.c, line 19.

(gdb) break 7

Breakpoint 2 at 0x4006df: file auth_overflow.c, line 7.

(gdb) break 12

Breakpoint 3 at 0x40072a: file auth_overflow.c, line 12.

(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Starting program: /home/test/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Breakpoint 1, main (argc=2, argv=0x7fffffffdf08) at auth_overflow.c:19

19      if(check_authentication(argv[1])) {

(gdb) i r esp

esp            0xffffde10   -8688

(gdb) x/32xw $esp

0xffffffffffffde10: Cannot access memory at address 0xffffffffffffde10

(gdb) c

Continuing.


Breakpoint 2, check_authentication (password=0x7fffffffe2cc 'A' <repeats 30 times>) at auth_overflow.c:7

7       strcpy(password_buffer, password);

(gdb) i r esp

esp            0xffffddc0   -8768

(gdb) x/32xw $esp

0xffffffffffffddc0: Cannot access memory at address 0xffffffffffffddc0

(gdb) p 0xffffde10 - 0xffffddc0

$1 = 80

(gdb) x/s password_buffer

0x7fffffffdde0: "\001"

(gdb) x/x &auth_flag

0x7fffffffdddc: 0x00

(gdb)

When i try x/32xw $esp i get: 0xffffffffffffde10: cannot access memory at address 0xffffffffffffde10

Same thing happens when i continue to the second break point. When author types x/s password_buffer the output is:

0xbffff7c0: "?o??\200????????o???G??\020\205\004\b?????\204\004\b????\020\205\004\bH???????\002"

but my output looks like this:

0x7fffffffdde0: "\001"

My i r esp result is also different from the book.

in the book there are two hexadecimal numbers:

esp 0xbffff7e0 0xbffff7e0

I am using Ubuntu and GCC and GDB.

Roham Amini
  • 361
  • 3
  • 12
  • 3
    Format it please if you want an answer. – TobiasR. Jul 09 '15 at 14:41
  • Its hard to try and help when the format is off and also no access to the book - however I would recommend http://resources.infosecinstitute.com/stack-analysis-with-gdb/ - this might aid in the reasoning for the corrupted esp. Does the binary error when you run it from the shell? Also the line numbers mean nothing with the source you have supplied. – Neil Jul 09 '15 at 14:47
  • Are you on 64 bit computer? why are you looking at `esp`, look at `rsp`. – yngccc Jul 09 '15 at 14:51
  • I tried to re-format and fix up the question a bit. But now it seems the line numbers don't match. – Thomas Padron-McCarthy Jul 09 '15 at 14:57
  • Thanks Thomas, well the code is fine, so I think it could either be the build parameters or gdb reporting incorrectly. @LDS how are you building the binary? – Neil Jul 09 '15 at 15:07
  • @yngum I am using Ubuntu 64 bit running it on Oracle VirtualBox and I am just following the instructions from the book. – Roham Amini Jul 09 '15 at 15:12
  • 1
    Need to disable buffer overflow protections. This has been answered here: http://stackoverflow.com/questions/14144216/buffer-overflow-not-working – DmitryK Jul 09 '15 at 15:13
  • "Mr 1337 Hacker, please wait while I compile my program in a less safe, non-default way, with optimizations disabled so that the auth_flag variable gets allocated exactly where you expect it on the stack, and not in a register or such. Would you prefer that, or should I just tell you the password?" – Lundin Jul 09 '15 at 15:15
  • @LDS you just follow the book without knowing what is going on? `0xffffffffffffde10` is a huge number, your cannot address that memory. `esp` is the lower 32 bits of the stack pointer, since you are on 64 bit, you need to look at `rsp` which is the real stack pointer. also the values you observe will not be the same as in the book, since you are using a different computer. – yngccc Jul 09 '15 at 15:21
  • @yngum i am not new to programming but this is a new topic for me and i am confused.Do you know any book which can help me understand this topic better?thx – Roham Amini Jul 09 '15 at 15:33
  • 1
    Please go and learn to hack somewhere else. – Martin James Jul 09 '15 at 15:35
  • @LDS no, I don't read book myself. Look up manuals on assembly, or write C programs and look at the assembly and reason through it. – yngccc Jul 09 '15 at 15:45

2 Answers2

0

I think I might have the answer - your argv[ 1 ] is pointing to the 30 'A's - and you have a password buffer of 16. The strcpy() will just fill the buffer and beyond.

I would increase the buffer size to a larger size (say 255 bytes).

In practise, you should review your code, even examples, and make them more robust (example: allowing for larger passwords then 16 )

Lundin
  • 195,001
  • 40
  • 254
  • 396
Neil
  • 1,036
  • 9
  • 18
-1

Please less the number of As try A(17) times it will work

RAJU
  • 1
  • 1
  • You should explain what's happening in the answers, so that the OP understands his mistake. In this specific case 17 A will still overflow the buffer. So the maximum password length is supposed to be 15. But the whole exercise is to **overflow** the buffer and see what happens on the Stack. – Costantino Grana Jun 01 '21 at 11:22