-2

This is only for academic use. Software security course. The teacher wants me to fool the program by enter something, a ponter address I guess,to run a different function than f2 or f3. I can see all memory addresses using GDB. What should I enter to run f1?

Thanks for helping.

void f1 (void) {...} // f1 address 0x8048559
void f2 (void) {...} // f2 address 0x804857e
void f3 (void) {...} // f3 adrress 0x8048627

fptr ptrs[2] = {NULL, f2, f3}; // ptrs adress 0x804a0d4

int main(int argc, char *argv[]) {
    char  buf[1024] = {0}; // buf address 0xbffff130
    int r; // r address 0xbffff530
    fptr p1 = f1; // p1 address 0xbffff534

    r = read(0, buf, sizeof(buf)-sizeof(char));

    if(r > 0) {
        buf[r] = '\0';
        int s = atoi(buf);
        fptr tmp = ptrs[s];
        tmp();
    } else {
        break;
    }
}
amdixon
  • 3,814
  • 8
  • 25
  • 34
Maximiliano Nunes Catarino
  • 518
  • 3
  • 6
  • 13
  • 2
    Why have you tried to do? where the problems are? – lrleon Nov 01 '15 at 02:40
  • I don't know how to fool the content os s variable to run f1 function. That is the problem. I tried to enter f1 address, but do not worked. – Maximiliano Nunes Catarino Nov 01 '15 at 02:46
  • maybe you have to use buffer overflow? – rav_kr Nov 01 '15 at 02:48
  • The buffer overflow flaw allow to rewrite the return address of the function, fooling the program to run what you want. But if I understand correctly it's possible to run other function without rewriting the return address on the stack memory. But I don't know how. – Maximiliano Nunes Catarino Nov 01 '15 at 02:57
  • fill in the buffer with AAA.... until you get the BOF error: with the debugger you will notice that p1 has been over written by AAA replace the end of AAA by B and more B's until the var get filled with B's, you have to replace the last Bs (it should be 4 B's) by "\x59\x85\x04\x08". A & B are 0x41 & 0x42 respectively. and try. – milevyo Nov 01 '15 at 03:20

1 Answers1

3

Array subscript operator a[b] is equivalent of *((a)+(b)).

Addition between pointer and integer will first multiply the integer by the size of type at which the pointer points, then the multiplyed value and the poiner is added.

For that reason, decimal value of (0xbffff534 - 0x804a0d4) / sizeof(fptr) (771675416 if sizeof(fptr) is 4) should work.

If I am right, using that value, the address of ptrs[s] should be the address of p1 and using tmp() the function f1 will be called.

MikeCAT
  • 73,922
  • 11
  • 45
  • 70
  • Hello MikeCat, that really worked. Entering 771675416 the p1 function was executed on tmp(). Forgive my ignorance, but I do not undertand equation. (0xbffff534 - 0x804a0d4) = 0xB7FB5460 0xB7FB5460 / 4 = 0x2DFED518 = 771675416. My bad. Wrong translation. Thanks very much. – Maximiliano Nunes Catarino Nov 01 '15 at 03:32
  • `0xbffff534` is `f1`'s address and `0x804a0d4` is `ptrs`'s address. Get the offset by subtracting them and divide the result by `sizeof(fptr)` to convert the offset to array subscript. – MikeCAT Nov 01 '15 at 03:43