0

I am trying to do a little exercise where I have an application that opens at a port, people can connect to it either with Telnet or Ncat, and they send a string that will overflow a buffer with the strcpy function. At the moment, the application runs and serves at the port that I want and I can send information without any problem. The problem happens when I try to overflow the EIP with the string, it just doesn't happen.

I won't post the whole code because it is really really big, I will put only the relevant part:

do {

    iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
    if (iResult > 0) {
        printf("Bytes received: %d\n", iResult);

        char buffer[250];

        strcpy(buffer, recvbuf);

    }
    else if (iResult == 0)
        printf("Connection closing...\n");
    else {
        printf("recv failed with error: %d\n", WSAGetLastError());
        closesocket(ClientSocket);
        WSACleanup();
        return 1;
    }

} while (iResult > 0);

As you can see, I receive the iResult, check if it is bigger than zero and then I transfer the recvbuf, which is the string that I've received into the buffer in order to overflow it. I have this solution working and overflowing the buffer in code that doesn't have this TCP logic, however, it doesn't overflow the EIP when I have the same logic with the TCP.

To compile my code into an executable I am using:

i686-w64-mingw32-gcc -o test.exe program.c -lws2_32 -fno-stack-protector

which removes the stack protection and I did this sudo echo 0 > /proc/sys/kernel/randomize_va_space to remove ASLR.

I assume that I am doing something wrong with TCP, and I am not able to overflow the buffer, let alone the EIP.

Do you guys have any idea why I can't overflow the Buffer with the TCP Solution?

Mingo Bille
  • 71
  • 8
  • First of all, are you programming in C or C++? They are two very different languages, and the solution might be wastly different. – Some programmer dude May 08 '22 at 13:49
  • Secondly, please try to create a proper [mre] to show us. For example what is `recvbuf`? What is `recvbuflen`, and what is its value? Why do you need two different buffers (`recvbuf` and `buffer`)? Is the string null-terminator included in the received data? Is the received data a string to begin with? And why don't you close your socket if the connection is being closed? – Some programmer dude May 08 '22 at 13:51
  • Why not just memcpy 'iResult' bytes? – Martin James May 08 '22 at 14:12
  • My guess is that is actually the problem. If the exploit string send over TCP contains a 0 byte then strcpy() will terminate early and not cause a buffer overflow. On the other hand if no 0 byte is send at all then strcpy() will go wrong. The other option why it doesn't go bad would be if recvbuflen < 250. – Goswin von Brederlow May 08 '22 at 14:15

1 Answers1

0

I solved the problem, and now I know why it didn't overflow.

In order to overflow, the overflow happens when a function is finished and fetches the stored (but overwritten) return address to go back to main, in this case. It is the easiest way to reproduce a Buffer Overflow.

I changed the code to have this.

 void vuln(char* arg) {
        char buffer[500];
        strcpy(buffer, arg);
    }

And then I call It here:

 do {

        iResult = recv(ClientSocket, recvbuf, recvbuflen, 0);
        if (iResult > 0) {
            printf("Bytes received: %d\n", iResult);

            vuln(recvbuf);

        }
        else if (iResult == 0)
            printf("Connection closing...\n");
        else {
            printf("recv failed with error: %d\n", WSAGetLastError());
            closesocket(ClientSocket);
            WSACleanup();
            return 1;
        }

    } while (iResult > 0);

Actually found the solution here: https://security.stackexchange.com/questions/166279/cannot-overwrite-eip-in-basic-exploitation-example

Mingo Bille
  • 71
  • 8