3

I'm trying (for learning purposes) to take advantage of gets() function vulnerability using return-oriented programming (ROP) technique. The target program is a Windows console application that in some point asks for some input, and then uses gets() to store the input in the local 80 characters long array.
I created a file that contains 80 'a' characters in the beginning + some extra characters + 0x5da06c48 address for overwriting the old EIP pointer.
I'm opening the file in text editor and copy-pasting the content into the console as input. I've used IDA Pro (or OllyDbg) to set a breakpoint right after the return from the gets() function and noticed that the address was corrupted - it was set to 0x3fa03f48 (two 3f substitutions).
I've tried other addresses as well - part of them works well, but most of the times the address is being corrupted (sometimes characters missing or substituted, sometimes truncated).
How to get over this problem? Any suggestion will be highly appreciated!

Alex Lipov
  • 13,503
  • 5
  • 64
  • 87
  • @NiklasB. gets doesn't perform any bounds checks.. – Alex Lipov Mar 17 '12 at 19:58
  • Oh, man, of course you're right... Can you provide a minimal C example program that shows the issue you describe? I'd like to run it in a debugger by myself, because what you describe seems a bit unlikely to me. I don't see why `gets` would mangle the input in any way after reading it. The only thing I can imagine is that you have null-bytes or newlines (0x0a or 0x0d) inside your payload. – Niklas B. Mar 17 '12 at 20:05
  • I ensured that no bad bytes included in the payload.. For example, you can compile the [Wikipedia example](http://en.wikipedia.org/wiki/Stack_buffer_overflow#Exploiting_stack_buffer_overflows): just replace the strcpy call with gets(c);. – Alex Lipov Mar 17 '12 at 21:13
  • Can't reproduce this. I can [properly overwrite the saved return pointer](http://pastie.org/3617507) here. – Niklas B. Mar 17 '12 at 21:32
  • maybe your copy+paste incorrectly translates the data using some codepage conversion? – Willem Hengeveld Mar 18 '12 at 13:39
  • maybe you can try to use a hexeditor to create a binary file containing the data you want to send to `gets`, and then use `<` file redirection to input the data. that way avoiding any character translation. – Willem Hengeveld Mar 18 '12 at 13:40
  • @Willem: In my experience, `<` input redirection on Windows should work properly even on binary data. Copy+Paste could be an option, though. – Niklas B. Mar 18 '12 at 14:56
  • Thanks for the replies guys.. it was indeed the copy-paste issue, because redirecting the input works well.. anyone know how exactly the conversion thing happening? what is the regularity? – Alex Lipov Mar 24 '12 at 22:13

2 Answers2

1

Copy-Pasting binary data is hit-and-miss. Have you tried feeding the input into your test program directly from the file using input redirection?

skoy
  • 266
  • 2
  • 10
-1

First of all keep track of the Endianness of your platform. If you think your bits are in the right order but you are still getting malformed input, it might be that your shell/text editor isn't binary safe. You are better off writing an exploit for this flaw in a scripting language such as Python, using the Subprocess library which allows you to write data directly to an arbitrary process's stdin pipe.

Mikey
  • 774
  • 4
  • 6