1

I'm trying to over the following function:

void function(int param){
    char overflow[32];
    gets(overflow);
}

I'd like to gain control of the integer parameter. This is an x86 platform.

This is what I'm giving as the string to overflow:

python -c "print '\x41'*33 + '\x41'*4 + '\x41'*4 + '\xFF\xFF\xFF\xFF'"

These are my assumptions, please correct them:

  • 33 bytes are allocated for the string (32 chars plus the null byte)
  • 4 bytes for the address of the last EBP
  • 4 bytes for the return address
  • 4 bytes for the integer parameter (where I want the \xFF to appear)

However, this isn't working. What am I missing?

Full code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}
0x23hgww45
  • 21
  • 4
  • 1
    Have you tried looking at the generated assembly? It should tell you the layout of the stack. – Cornstalks Aug 08 '16 at 02:01
  • Can you post the rest of the program? Where's your `main` and how are you calling your `function`, among other things? Some of those details might also be relevant. It'll be easier if you post a full [MCVE](http://stackoverflow.com/help/mcve). – code_dredd Aug 08 '16 at 02:01
  • Possible duplicate of [Why am I not getting a stack overflow?](http://stackoverflow.com/questions/13901587/why-am-i-not-getting-a-stack-overflow) – code_dredd Aug 08 '16 at 02:03
  • @ray Sure, I'll add the rest of the code. It's part of an online CTF, but its part of the "baby" section so answers/questions can be posted. – 0x23hgww45 Aug 08 '16 at 02:03
  • Are you compiling with `-m32 -fno-stack-protector` ? – David C. Rankin Aug 08 '16 at 02:05
  • @DavidC.Rankin I haven't compiled it, it's hosted on a CTF web server and I interact with it over the wire. – 0x23hgww45 Aug 08 '16 at 02:06
  • Let me get that right: You intrentionally invoke **undefined** behaviour and complain it does behave **undefined**? Hmm, I don't see a problem with that code. (What is **correct** undefined behaviour?) – too honest for this site Aug 08 '16 at 02:50
  • 1
    **32** bytes allocated for the string, not 33. C compiler won't add an extra byte for '\0'. It expects **you** to do it. After all, it doesn't know this particular char array will be a null-terminated string. – rslemos Aug 08 '16 at 05:31

0 Answers0