3

For a homework assignment i must perform a buffer overflow attack on a program of theirs. The code of that program is the following:

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input)
{
   char buffer[256];
   strcopy(buffer, input);
   printf("buffer:%s\n", buffer);
}

int main(int argc, char **argv)
{
   vulnerable_function(argv[1]);
}

So, when i execute this command on the terminal: perl -e 'print "A"x32' | ./opdr1_vuln i always get a segmentation fault, no matter how large we generate our input.

The program terminated with:

#0  0xb7f17f50 in strcopy () from /lib/tls/i686/cmov/libc.so.6

However, when i manually fill in many a's in the terminal as this:

./opdr1_vuln aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

it crashes at 260's a's, which is expected and when i debug this with gdb it gives another segmentation fault. It looks like if I'm generating input from another source than the terminal itself, it gives a segmentation fault with strcopy().

I compiled the program with: 

# gcc opdr1_vuln.c -o opdr1_vuln

It's a Linux debian 2.6.18-4-686 i686 system.

I don't know why this happens, can someone help me?

Improve this question
4
  • vulnerable_function(argv[1]); you're not checking the argument count, and you're not passing any arguments... to be able to properly attack, you have to provide an argument, not a standard input. Commented Oct 27, 2017 at 11:12
  • 3
    Where do you have the strcopy function . Commented Oct 27, 2017 at 11:12
  • @Jean-FrançoisFabre isn't argv[] NULL-terminated? As argv[0] is the own program name, argv[1] should be NULL: Commented Oct 27, 2017 at 11:20
  • yes, I have fixed that. It's still undefined behaviour to read from NULL. Commented Oct 27, 2017 at 11:21

1 Answer 1

Reset to default
1

in

perl -e 'print "A"x32' | ./opdr1_vuln

you're not passing any parameters, you're just providing standard input to your program

argv[1] is then invalid (NULL) and since argument count is not checked you get undefined behaviour (the function is vulnerable, but the main program is as well)

To provide the output of the perl command to your code you have to pass the output as an argument, not as input. In a classic bash that would be: 

./opdr1_vuln `perl -e 'print "A"x32'`

or (maybe more readable)

./opdr1_vuln $(perl -e 'print "A"x32')
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

@Jean-FrançoisFabre I piped it because if i pass that command to the program as an argument is just prints buffer: perl -e print. So i don't know why this litte perl script does not get executed then.
note the backquotes (let me provide another syntax)
Yes, thank you very much! It works now. I did confuse normal quotes with backticks.
that's why the "modern" bash syntax uses $() for the best. It's recommended to use it. BTW tell your teacher that running the program without any argument is already an attack. Good job :): (Ronin: "I could ambush you with a cup of coffee")
That modern syntax is a lot more clear indeed. But you mean that it's already an attack, because you let the program crash without a parameter as it throws a segmentation fault? :) I wonder what you can do with this though.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.