2

I am working on stack smashing on ARM and I have a buffer declared as:

char buff[12];

in my code.

In order to find the location where the PC gets overwritten in gdb I write

AAAABBBBCCCCDDDDEEEEFFFF to buff

I expected DDDD to overwrite FP(r11) as 0x44444444 (and it execute correct) but the PC was overwitten with 0x45454544 (instead of 0x45454545)

Does anyone have an idea why the last byte is D(44) instead of E(45)? I have tried longer input but the value in the PC always drops by a few bits.

Screenshot of GDB output

user234461
  • 1,133
  • 12
  • 29
dbayoxy
  • 33
  • 7
  • "overwitten with 0x45454544 (instead of 0x45454544)" They're the same value. Did you mean "overwitten with 0x45454544 (instead of 0x4545454**5**)"? – user234461 Jan 24 '20 at 14:47
  • Have you tried printing the address of `&buff[0]`? – user234461 Jan 24 '20 at 14:50
  • instead of 0x45454545! – dbayoxy Jan 24 '20 at 14:50
  • 1
    the lsbits of the pc are reserved/special you cant set the two lsbits in arm mode they are stripped off you cant set the lsbit in thumb mode it is stripped off going into thepc. – old_timer Jan 24 '20 at 15:21
  • as also with the stack pointer(s) if you want to do some hacking do some hacking that actually works for the architecture. random values wont do it. – old_timer Jan 24 '20 at 15:21
  • How do you load those bytes into `PC` exactly? Is it through an `LDM`, `MOV`, `BX`, etc..? In any case, the ARM reference manual contains general rules regarding writes to `PC`, as well as instruction-specific notes that complement/supplant those general rules. – Michael Jan 24 '20 at 15:29
  • @old_timer I actually wanted to place an address to a function at 0x45454545 using something like python -c 'print "AAAABBBBCCCCDDDD" + "\x88\x12\x45\x04"'. Though it didn't work as expected. – dbayoxy Jan 24 '20 at 15:34
  • @Michael. I entered the input from the command line to fill the 12 bytes buffer with 24bytes. – dbayoxy Jan 24 '20 at 15:39
  • Sure, but by what instruction did you then transfer 4 of those bytes into the PC register? – Michael Jan 24 '20 at 16:33
  • @Michael I typed in AAAABBBBCCCCDDDDEEEEFFFF (the program uses scanf) – dbayoxy Jan 24 '20 at 16:55

1 Answers1

0

The PC register cannot hold an odd value - the LSB are forced to 0 to ensure the address is aligned.

Armali
  • 18,255
  • 14
  • 57
  • 171
  • Does that mean the content is still equivalent to EEEE(0x45454545)? – dbayoxy Jan 24 '20 at 15:06
  • 1
    in arm mode the address has to be four byte aligned in thumb mode two byte aligned. in neither case can the lsbit be set, for arm mode bit 1 cannot be set. the bits are stripped when they are loaded into the pc, the pc does not have that or those bits set. – old_timer Jan 24 '20 at 18:46
  • 1
    it is pretty easy to check add r0,r0,pc. – old_timer Jan 24 '20 at 18:47