2

So am trying to disassemble this simple c program on strncat ,

 #include <string.h>

 int main(int argc, char **argv) {  
    char buf[128];
    strncat(buf,argv[1],sizeof(buf));    
   }

After disassembling it

enter image description here

So the thing is the string in argv1 is to be copied to [rbp-0x80] rsi has a pointer to argv1 and rdi is [rbp-0x80]

[rbp-0x80] is 0x7fffffffe0d0 in my case

this is the input that I pass as argv1 perl -e 'print "B"x10;print "A"x118'

so 0x7fffffffe0d0 - 0x7fffffffe0da are supposed to Have 4242... but there is an address stored from 0x7fffffffe0d5 - 0x7fffffffe0d0

Here is the screen shot before calling strncat function enter image description here

Here is the screen shot after calling strncat function enter image description here

I don't get why the String starts from 0x7fffffffe0d6 rather than 0x7fffffffe0d0 enter image description here

Any ideas ?

EDIT :

Screen shot with inputs enter image description here

Dhayalan Pro
  • 579
  • 1
  • 5
  • 20
  • @PeterCordes thats what I thought , So I printed the string using printf For the input string hello I am Getting Hello as output and if i have `perl -e 'print"A"x15' I get 15 A but after 16 I get �����AAAAAAAAAAAAAAAA Any ideas ? Ill update the question with the screen shot . – Dhayalan Pro Jun 05 '16 at 16:20
  • So you're actually using `AAAAAAAAAAAAAAAA...` as the arg, not `perl -e 'print...`? i.e. you're using the output of the perl command, not the text of the perl command like your question says? backquotes are the stackoverflow markdown for `code`. You should say you're using `$(perl -e ...)` as the arg. – Peter Cordes Jun 05 '16 at 16:23
  • But anyway, non-ascii garbage near the start of `buf` is exactly what your gdb dump shows is there. Why is any of this surprising? It would be easier to read if you dumped in byte-size chunks, rather than words (since x86 is little-endian). The last (least significant) byte of each 32bit hex value is the first byte in memory order. – Peter Cordes Jun 05 '16 at 16:24
  • @PeterCordes perl -e 'print "A"x10' produces 10 A , just to easy things off :) just wondering why for string Hello (and input less than 16byte ) the output is without garbage – Dhayalan Pro Jun 05 '16 at 16:27
  • gcc emits code that keeps the stack 16B-aligned. Probably a longer arg string takes up that much more space on the stack, and that's the threshold where `rsp` bumps down by 16B inside `main`. So `buf[]` has different uninitialized garbage. – Peter Cordes Jun 05 '16 at 16:29
  • Also, you should be running as root. [That's just a bad idea.](http://apple.stackexchange.com/a/192422/118588). Create a user account for yourself. – Peter Cordes Jun 05 '16 at 16:30
  • I know what `perl` does. But look at your question. There aren't backquotes around it in the text of your question, because backquotes are a markdown formatting character. So they didn't appear literally in your question, making it look like you were saying you used `perl ...` as the actual arg. That's why I suggested you should have written `$(perl -e ...)`, because it's clearer, [and `$()` is better anyway](http://mywiki.wooledge.org/BashFAQ/082). – Peter Cordes Jun 05 '16 at 16:33
  • @PeterCordes Haha yeah I know running as root is a bad idea , its running on a VM :) Yeah the '`' got lost , sorry for that my bad – Dhayalan Pro Jun 05 '16 at 16:38

1 Answers1

4

You don't initialize buf[], and the uninitialized garbage in it happens not to start with a 0. You used strncat, not strncpy, so it looks for the start of the existing string. Fortunately there is a zero near the start of the buffer, so you don't actually overflow it. (Which is possible because you used strncat wrong).

Surprisingly, neither gcc nor clang know enough about strncat to warn about reading uninitialized data. clang-3.8 does warn that you got the size wrong:

strncat doesn't include the terminating 0 in the count, but it always writes one (unlike strncpy). And the count doesn't include strlen(dst), either. The count is the max number of chars it will read from the source, not the size of the dest buffer.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • Yeah thats the Issue :D , when before strncat is called the 0x7fffffffe0d0 had 7ffffffffe250 which was ending with a null char , so it got appended to it . Now the issue is while running it normally ie ./a.out hello , i get hello when i run it with gdb i get the junk value o.O – Dhayalan Pro Jun 05 '16 at 16:42