1

I am currently preparing a small presentation about computer security among my fellow students. To get them at least a bit excited I wanted to demonstrate how the wrong use of the strcpy-function inc C can be exploited. This is the code of the vulnerable program:

#include<string.h>
#include<stdio.h>
void function(char *buffer1)
{
 char buffer2[5];
 strcpy(buffer2,buffer1);
}

int main (int argc, char **argv)
{
 function(argv[1]);
 return 0;
}

Just using the command line I was able to crash the application by calling it with

test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ

Which gave me the correct 0x4D4C4B4A (MLKJ) for the EIP. It also works if I call it from Python:

os.system("test.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ")

However, if I want to put an address instead of JKLM, like this:

 os.system("test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")

It gives me following output near the ESP on the Stack:

0028cca0  e4 21 d7 41 42 43 44 45-46 47 48 49 75 c2 9a 21  .!.ABCDEFGHIu..!
0028ccb0  1b 4e 4f 50 51 52 53 54-55 56 57 58 59 5a 00 00  .NOPQRSTUVWXYZ..

Here the 75 c2 9a 21 matters because it is almost what I expected, except the 0x1B, which is the ASCII Character for ESCAPE, is replaced by 0xC2. When I change the order of the address, so it looks like this: \x21\x1b\x75\x9a, the 9a gets replaced by the same mysterious C2. Does anyone know whats the matter with the code? Am I missing some basic point or is it some kind of protection against stack based buffer overflows?

Thanks,

Improve this question
2
  • Which version of Python are you using (2.x or 3.x)? Commented May 16, 2011 at 21:51
  • Sorry I forgot to mention that: I am using Python 3.1 on Windows 7 64 bit Commented May 17, 2011 at 5:42

1 Answer 1

Reset to default
1

It looks like your text is undergoing UTF-8 conversion. Note that your original bytes:

75 9a 21 1b
   ^^

are replaced by

75 c2 9a 21 1b
   ^^^^^

I've highlighted the UTF-8 encoded byte. If you're using Python 3, try:

os.system(b"test.exe ABCDEFGHI\x75\x9a\x21\x1bNOPQRSTUVWXYZ")

The b"" indicates that the data is a byte sequence, and shouldn't be converted from Unicode to the default encoding (which in your case seems to be UTF-8).

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi, I tried that before, unfortunately it causes an Type error because the os.system() call expects a string, not bytes.
@AlexanderF: Perhaps you could try the subprocess module instead. I was able to successfully pass raw bytes through subprocess.Popen(["test.exe", b"ABCDE"]).
That does not work here, it says that the Type str does not support the buffer api.However, I was able to pass the desired bytes from another C program that uses the system() call.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.