Buffer overflow in C with pointers

Question

I am completely lost with this. I know I have to use a buffer overflow in order to get char 'c' to be the pointer address of ptr, but I have no idea how.

/*
* Task: Print out "Wecome to overflow!"
* Setup: You need to first run the command below (Note, system will ask your sudo password after running it)
*        echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
* Hint:
*       You can compile this code on ubuntu using the following command "gcc -fno-stack-protector -m32 -o hw hw.c"; note that you will need to run command "sudo apt-get install gcc-multilib" and then enter 'Y' before compiling your code using the aforementioned command
* Submission: a screenshot with commands like echo -e -n 'abcddd\x11\x1A' > tmp
*/

#include <stdio.h>

int main(){
  int a = 10;
  char *ptr;
  char c = 'X';
  char array[4];
  char array2[] = {'X', 'Y', 'Z'};
  ptr = &c;
  printf("please enter: \n");
  scanf("%s", array);

   /* The following is just for the purpose of debugging */
   printf("ptr is 0x%x \n", (unsigned int)ptr);
  printf("addr of array2[1] is %p \n", &array2[1]);

  *ptr = '5';

  if (array2[1] == '5') {
    printf("Welcome to overflow!\n");
  } else {
    printf("This is normal output!\n");
  }
}

It is just an exercise, I am just wondering how I should go about actually doing this, mainly an answer with an explanation. — Kevin Jones, Dec 13 '17 at 01:43
Think about the memory layout and how you can use the the `scanf` to overflow `array` to accomplish the task. Review notes from the class. — Galen, Dec 13 '17 at 01:52
It is highly unlikely that you can store an address in a char. In general you do not need a buffer overflow to assign a value to a pointer; you just need an assignment. — William Pursell, Dec 13 '17 at 02:10
I really would like some step by step help with this problem. — Kevin Jones, Dec 13 '17 at 04:14

score 1 · Answer 1 · answered Dec 13 '17 at 01:59

1

Generally, the compiler allocates automatic variables by decrementing the stack pointer by the necessary amount, and remembering that a variable name means “sp + N”. So each of your local variables {a, ptr, c, array, ...} will have corresponding offsets from the stack pointer, say {16,12,8,4,...}.

So, your task involves figuring out how your compiler lays out the stack [ there are no rules ], then the next steps should be apparent.

answered Dec 13 '17 at 01:59

mevets

10,070
1
21
33

"...by decrementing the stack pointer" Except on those systems where it increments the stack pointer. – Lundin Dec 13 '17 at 08:00

Yunnosch · Answer 2 · 2017-12-14T05:51:25.317

Here is a step by step method, as requested, but without a full solution, as per StackOverflow policy for homework questions.

Compile the program without changing anything and run it,
using a short input like "a".
Run the program with a short input again.
See the pair of different addresses it gives as debug output each time, they must be identical across the two runs of the program.
If they are different see the assignment comment "You need to ..."
Do 1.-3. again. If the address are still not the same you are out of luck.
Think why steps 1.-5. are necessary.
If you do not know read your text book again carefully.
Create a small text file in a way to be able to make the content non-printable characters.
If you do not know how, see the assignment comment
"with commands like ..."
The text file now should have a very specific length. Which length exactly you need to determine by looking at the output of addresses in the last run of the program. If you do not know how to determine the length from the value, read your text book again carefully and check the answer by mevets.
The actual content of the first part of the text file is irrelevant, it just needs a certain small part of the total length. How long? See text book and code of the program.
The cotent of the rest of the text file is special. It needs to be what you want written to the variable ptr. What content exactly needs to be derived from the output of the last run of the program. You will also need some knowledge on specific mechanisms of your CPU. This is probably easiest to find out by experiment. A few crashes of the program with wrong inputs will not hurt.
Call the program in a way that it takes the text file as input.
The output should be

please enter:
ptr is 0x????????
addr of array2[1] is ????????
Welcome to overflow!

Where the ? are hexadecimal values specific to your environment,
there is a little trick hidden here...

Make a screenshot of all your commands and the output.
Hand that in, with an explanation of
how everything works,
what the trick is,
the relevance of the variable a and
why you cannot directly overwrite array[1] with the input.
Hope that your teacher knows neither StackOverflow
nor a good search engine...
Next time pay attention and start working earlier.

Picking up a valid comment by Lundin (questioning the direction of stack growth):
In the case Lundin mentions (probably a rare case), step 8 changes. You have to determine the length not so much by looking at the address pair but by looking at the code of the program.
Step 10 changes, too. The content of the end of the text file is not what you want written to ptr but what you want written somewhere else, in what could by described as a more "direct" approach.
Step 14 becomes much easier.

By "StackOverflow policy" I refer to https://meta.stackoverflow.com/questions/334822/how-do-i-ask-and-answer-homework-questions The "policy" being that an answerer can choose one of the two largely different ways of answering described there and something of a compromise. Which one I chose should be obvious. Let me know if you consider "StackOverflow policy" an inappropriate term to describe this. — Yunnosch, Dec 13 '17 at 07:46

Buffer overflow in C with pointers

2 Answers2