0

I have installed the linux distro named DVL (damn vulnerable linux), and I'm exercising with buffer overflow exploits. I wrote two virtually identical programs which are vulnerable to bof:

//bof_n.c
#include <stdio.h>
void bof() {
  printf("BOF");
}

void foo(char* argv) {
  char buf[10];
  strcpy(buf, argv);
  prinf("foo");
}

int main(int argc, char* argv[]) {
  if (argc >= 1) {
    foo(argv[1]);
  }
  return 0;
}

and

//bof.c
#include <stdio.h>
void bof() {
  printf("BOF!\n");//this is the only change
}

void foo(char* argv) {
  char buf[10];
  strcpy(buf, argv);
  prinf("foo");
}

int main(int argc, char* argv[]) {
  if (argc >= 1) {
    foo(argv[1]);
  }
  return 0;
}

After that I compiled both of them, and I obtained the bof() function address in both cases (e.g., objdump -d bof.o | grep bof). Let's name such an address ADDR which is on 4 byte.

I also found that if I write 32 byte in the buf variable, the EIP register is completely overwritten (I cannot copy here the output of gdb since it is on a virtual machine).

Now, if I do:

./bof `perl -e 'print "\x90"x28 . "ADDR"'`

I get:

fooBOF!
Segmentation fault

Instead if I try the same approach but using bof_n, I only get the "Segmentation fault" message. Therefore I tried to increment the number of time ADDR value is repeated, and I found that if it is being repeated for at least 350 times, I get the wanted result. But instead of having the output above exactly, I get a long list of "BOF" messages one after the other. I tried to obtain just one "BOF" message, but apparently I cannot do that (I got or zero, or a long list of them). Why this is happening? Any idea?

I'm using DVL with gcc 3.4.6

Improve this question
3
  • 1
    Size of perl -e 'print "\x90"x28 . "ADDR"' > size of buf[10]. 30+ > 10. Commented Aug 29, 2013 at 2:13
  • 1
    Also size of result of perl -e 'print "\x90"x28 . "ADDR"' may be more then 10. Commented Aug 29, 2013 at 2:15
  • @mbratch: Everything the software does is of course fully deterministic. Commented Aug 29, 2013 at 4:59

2 Answers 2

Reset to default
1

What's your goal?

You should really be using a debugger for this, try the GDB Debugger or gdb. With it you can see the memory/registers/stack and disassembly of whats currently going on in the system.

I'd guess that in the first function, the string being only 3 characters in length, gets optimized to \x42\x4f\x46\x00, so the disassembly may be slightly different.

The C source is pretty much irrelevant, you'll need to either disassemble or fuzz both binaries to find appropriate size for both NOP sleds.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Ok, maybe I was not very precise. I'm actually using GDB and in the bof_n example, and I finally find out the problem is when the message "BOF" has to be printed. The eip is correctly overwritten and the execution jumps to the bof() function, the only problem is that (I don't know why) the printf does not work in this case. Perhaps is due to the flyshing, I'll try with fprintf and STDERR.
0

I found out the solution. The issue was about the printing of the message and not the buffer overflow exploit itself. In fact the register eip was being correctly overwritten also in the bof_n example, and the program flow was being correctly redirected in the bof() function. The problem was that, apparently, the stdout were not flushed out before the Segmentation fault and hence no message was being shown.

Instead, using fprintf(stderr, "BOF");, I finally get the "BOF" message.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.