4

I'm doing a buffer overflow exercise where the source code is given. The exercise allows you to change the number of argument vectors you feed into the program so you can get around the null problem making it easy.

However the exercise also mentions that it is possible to use just 1 argument vector to compromise this code. I'm curious to see how this can be done. Any ideas on how to approach this would be greatly appreciated.

The problem here is that length needs to be overwritten in order for the overflow to take place and the return address to be compromised. To my knowledge, you can't really use NULLs in the string since they are being passed in via execve arguments. So the length ends up being a very large number as you have to write some non zero number causing the entire stack to go boom, it's the same case with the return address. Am I missing something obvious? Does strlen need to be exploited. I saw some references to arithmetic overflow of signed numbers but I'm not sure if turning the local variables does anything.

The code is posted below and returns to a main function which then ends the program and runs on a little endian system with all stack protection turned off as this is an introductory exercise for infosec:

int TrickyOverflowSeq ( char *in )
{
    char       to_be_exploited[128];
    int        c;
    int        limit;

    limit = strlen(in);
    if (limit > 144)
        limit = 144;

    for (c = 0; c <= limit; c++)
            to_be_exploited[c] = in[c];

    return(0);
}
Improve this question
3
  • Note that the C standard does not say anything about the relative addresses of to_be_exploited, c, or limit. The compiler is free to lay them out in any order; different options to the compiler can lay them out in different orders. Unless you're using an unusual system, sizeof(int) == 4, so 128 + 2 * 4 = 136, leaving you at least 8 bytes to overwrite any control information on the stack (if you can overwrite c and limit; 16 bytes if you can't). All you have to do is call the program with an argument of at least 144 characters: ./yourprog $(perl -e 'print "A" x 144'). Commented Jan 28, 2014 at 5:37
  • 1
    under controlled environment (disabled ASLR) and assume the stack is growing down (high to low), you can overwrite the limit variable so it would allow you to bypass the limit and copy over the rest of the data into the buffer. The issue is that to overwrite the limit, assuming you have 32bit aligned machine, you would have to have \x00 in your buffer/in, this won't cause strlen to bypass len of 144, so you wouldn't be able to overwrite the value. need to figure out a way to have \x00 in memory without actually using the null character Commented Jan 28, 2014 at 5:55
  • Yeah, this is a 64 bit machine, but your idea is essentially the solution (\x00 without using null) Commented Jan 28, 2014 at 6:06

3 Answers 3

Reset to default
1

I don't know where arg comes from, but since your buffer is only 128 bytes, and you cap the max length to 144, you need only pass in a string longer than 128 bytes to cause a buffer overrun when copying in to to_be_exploited. Any malicious code would be in the input buffer from positions 129 to 144.

Whether or not that will properly set up a return to a different location depends on many factors.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Sorry about that, it was a typo. If I pass in a string >128 bytes, I'm walking into the territory of c and limit but nothing past that unless I modify limit. I can choose to skip over c and start to modify limit but the problem is the modification of limit needs to be NULL terminated otherwise it ends up being a very large number causing the stack to become corrupted. The only way I can think of doing this is by trying to preserve the frame pointers and preserve return addresses of the previous stack frames that came before this.
Well, what you "walk over" depends on which way the stack grows, but let's assume it grows up as you say. You're corrupting the stack any way you look at it; you're just trying to do so intelligently. The only thing that needs to be null terminated is in because, otherwise, you invoke UB (too early and uncontrollably). So, if in contains a null terminated string of 145 bytes, you have the last 8 bytes to play with (this assumes 8 byte ints). You can put whatever you like there and, if everything is setup as you say, you will overwrite limit, but only a byte at a time in that loop.
0

However the exercise also mentions that it is possible to use just 1 argument vector to compromise this code. I'm curious to see how this can be done.

...

The problem here is that length needs to be overwritten in order for the overflow to take place and the return address to be compromised.

It seems pretty straightforward to me. That magic number 144 makes sense if sizeof(int) == 8, which it would if you are building for 64-bit.

So assuming a stack layout where to_be_exploited comes before c and limit, you can simply pass in a very long string with junk in the bytes starting at offset 136 (i.e., 128 + sizeof(int)), and then carefully crafted junk in the bytes starting with offset 144. This will overwrite limit starting with that byte, thus disabling the length check. Then the carefully crafted junk overwrites the return address.

You could put almost anything into the 8 bytes starting at offset 136 and have them make a number that is large enough to disable the security check. Just make sure you don't end up with a negative number. For example, the string "HAHAHAHA" would evaluate, as an integer, to 5206522089439316033. This number is larger than 144... actually, it's too large as you want this function to stop copying once your string is copied. So you just need to figure out how long your attack string actually is and put the correct bytes for that length into that position, and the attack will be copied in.

Note that normal string-handling functions in C use a NUL byte as a terminator, and stop copying. This function doesn't do that; it just trusts limit. So you could put any junk you want in the input string to exploit this function. However, if normal C library functions need to copy the input data, you might end up needing to avoid NUL bytes.

Of course nobody should put code this silly into production.

EDIT: I wrote the above in a hurry. Now that I have more time, I re-read your question and I think I better understand what you wanted to have explained.

You are wondering how a string can correctly clobber limit with a correct length without having strlen() chop it off short. This is impossible on a big-endian computer, but perfectly possible on a little-endian computer.

On a little-endian computer, the first byte is the least significant byte. See the Wikipedia entry:

http://en.wikipedia.org/wiki/Endianness

Any number that is not ridiculously large must have zero in its most significant bytes. On a big-endian computer that means the first several bytes will all be zero, will act like a NUL, and will cause strlen() to chop the string before the function can clobber limit. However, on a little-endian computer, the important bytes you want copied will all come before the NUL bytes.

In the early days of the Internet, it was common for big-endian computers (often bought from Sun Microsystems) to run Internet server apps. These days, commodity x86 server hardware is most common, and x86 is little-endian. In practice, anyone deploying such exploitable code as the TrickyOverflowSeq() function will get 0wned.

If you don't think this answer is thorough enough, please post a comment explaining what part you think I need to cover better and I'll update the answer.

Improve this answer

3 Comments

I understand what you're saying but the problem is cutting the length down to a manageable integer (around 152) which cannot be done unless there are null terminators in the high bits of length. The problem is that the attack string is being copied in by a host program via execve and I believe those arguments will get read up to this NULL terminator not allowing the reading of the exploit past the length which we need in order to compromise the return address and overwrite with the address of the buffer in order to start executing our code.
If we cannot use /x00 in lengths high bytes (length is 4 bytes long) then we will end up with something like this as the smallest number for length /x01/x01/x01/x01 in Little Endian which turns out to be 0x01010101 = 16843009 - this is way too large and will definitely blow up the stack. Maybe I am approaching this wrong
Well, now we are really getting into implementation-defined behavior. If execve() does copy the strings, it could possibly place the strings next to each other in such a way that the attack would still work. Or not... I haven't actually attacked computers this way, I'm just trying to figure this out. Anyway, the function as written is horribly exploitable, but maybe the actual use of it happens to be protected by execve(). That doesn't really invalidate the points that your teachers are trying to impress on you with this, but it's possible that your teachers did overlook this point.
0

I am aware that this is quite an old post, however I stumbled on your question because I found myself in the same situation with exactly the same questions as the ones you ask in your post and in the comments.

A few minutes later, I solved the problem. I don't know how much of it I should "spoil" here, since AFAIK this is a typical problem in many Computer Security courses. I can say however that the solution can indeed be achieved with exactly one argument... and with a couple of environment variables. Additional hint: environment variables are stored after function arguments on the stack (as in in higher addresses than the function arguments).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.