2

I would like to write a vulnerable program, to better understand Stack Overflow (causes) in c#, and also for educational purposes. Basically, I "just" want a stack overflow, that overwrites the EIP, so I get control over it and can point to my own code. My problem is: Which objects do use the stack as memory location? For example: the Program parses a text file with recursive bytewise reading until a line break is found (yeah, I think nobody would do this, but as this is only for learning...). Currently, I'm appending a string with the hex value of chars in a text file. This string is a field of an object that is instanciated after calling main(). Using WinDbg, I got these values after the stack has overflown from (nearly) endless recursion:

(14a0.17e0): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0023f618 edx=778570b4 esi=fffffffe edi=00000000
eip=778b04f6 esp=0023f634 ebp=0023f660 iopl=0

BTW I'm using a Win7x86 AMD machine, if this is from interest. I've seen many C++ examples causing a stack overflow using strcpy, is there any similar method in c#?

Best Regards, NoMad

edit: I use this code to cause the stack overflow.

class FileTest
{
    FileStream fs = new FileStream("test.txt", FileMode.Open, FileAccess.Read);
    string line = String.Empty;
    public FileTest()
    {
        Console.WriteLine(ReadTillBreak());
    }

    private string ReadTillBreak()
    {
        int b = 0;
        b = fs.ReadByte();
        line += (char)b;
        if (b != 13)
            ReadTillBreak();
        return line;
    }
}

Is it possible to overflow the stack and write into the eip with the line string (so, content of test.txt)?

NoMad
  • 702
  • 2
  • 11
  • 27
  • If you're looking to understand vulnerabilities of managed systems, check out Erez Metula's excellent book on managed code rootkits: http://www.amazon.com/Managed-Code-Rootkits-Hooking-Environments/dp/1597495743/ref=sr_1_1?ie=UTF8&qid=1332014581&sr=8-1 – zmbq Mar 17 '12 at 20:03

2 Answers2

4

The reason you can do exploit stack corrupts in C and C++ is because you handle memory yourself and the language allows you to do all sorts of crazy stuff. C# runs in an environment that is specifically designed to prevent a lot of these problems. I.e. while you can easily generate a stack overflow in C# there's no way that you can modify the control flow of the program that way using managed code.

The way exploits against managed environments usually work is by breaking out of the sandbox so to speak. As long as the code runs in the sandbox there are a lot of these tricks that will simply not work.

If you want to learn about stack corruption I suggest you stick to C or C++.

Brian Rasmussen
  • 114,645
  • 34
  • 221
  • 317
  • oh yeah now this makes sense, I already thought about .net VM preventing such things, but I hoped this would although be possible in my favourite programming language. Thanks for the advice – NoMad Mar 17 '12 at 17:42
0

I'm not entirely clear on you descriptions of what you have tried. Stack overflows do not generally "overwrite the EIP".

To cause a stack overflow, the most straight forward way is something like this.

void RecursiveMethod()
{
    RecursiveMethod();
}

Since each call to this method stores the return address on the stack, calling it endlessly like this without returning will eventually use up all stack space. Of course, modern Windows applications have tons of stack space so it could take a while. You could increase the amount of stack usage for each call by adding arguments or local variables within the method.

Jonathan Wood
  • 65,341
  • 71
  • 269
  • 466