3

I'm doing a really simple example of buffer overflows, I have this code:

#include <stdio.h>

void secretFunction()
{
    printf("Congratulations!\n");
    printf("You have entered in the secret function!\n");
}

void echo()
{
    char buffer[20];

    printf("Enter some text:\n");
    scanf("%s", buffer);
    printf("You entered: %s\n", buffer);    
}

int main()
{
    echo();

    return 0;
}

To start with, I compile this file with no stack protections, and aslr turned off:

gcc buf.c -o vuln_nostack -fno-stack-protector -m32 -no-pie

For exploiting this, we simply want to inject the memory adress of the secret function so that we can get to run it. This can be done with running the file with python generating the input:

 $ python -c 'print "a"*32 + "\xd6\x91\x04\x08"' | ./vuln_nostack 
Enter some text:
You entered: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa֑
Congratulations!
You have entered in the secret function!
Segmentation fault (core dumped)

Which hits my secret function. So this works.

But now the problem is that I want to to work with aslr as well, so I want to output the adress of the secret function at the start of the program, and then have the malicious input depend on that. FOr that reason, I want to wait by inputting anything to the program, until I have seen what it has printed to me.

But if I now run the program where I just give the input manually while the program runs:

./vuln_nostack
Enter some text:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa֑\xd6\x91\x04\x08
You entered: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa֑\xd6\x91\x04\x08
Segmentation fault (core dumped)

Then it simply handles my input correctly, and the value is not overflown. A segmentation error occurs, indicating that something is happening, but not the same direction to my secret function

I'm pretty new to overflows, and don't really understand why this is happening, when the python generated input actually works.

SO my question is whether there is a way to do this simple overflow "manually" while the program runs. Or if I will need to write some script (python perhaps) that can interact with this faulty program and give it correct input as it runs?

Improve this question
4
  • Maybe have a read at The GDB developer's GNU Debugger tutorial Commented Feb 2, 2022 at 13:15
  • Yur program prints Enter some text: as the very first thing. That seems wrong, it should print secrefunc is at: 0x[...] first. Are you sure you are running the right executable? Commented Feb 2, 2022 at 13:18
  • It has been edited Commented Feb 2, 2022 at 13:20
  • You are entering the address as text. Your Python script generated raw integer values. Escape sequences can't be used in string input, only internally in C source. On Windows you could type Alt+214 for the equivalent of 0xD6 and so on. Or easier: make a script generating the raw binary sequence and then posts it in the clipboard. Commented Feb 2, 2022 at 13:30

1 Answer 1

Reset to default
3

You say that your input is handled correctly in the second example but this is not the case, you can see that in the second time you ran the program, you got a segmentation fault, which means that you accessed memory which can't be deferenced(Either due to wrong memory protection or due to invalid memory address).

The reason that you failed to jump to secretFunction() on your second run, is that you were assuming that scanf parses escaped unicode values as unicode, but when you enter "\xd6" it is not parsed to a unicode value but it is parsed to 4 chars '' 'x' 'd' '6'. As you run on a 32 bit machine this is the address the program tries to execute which probably leads to a segfault as this memory is most likely not valid nor executable.

Just an idea on how to overcome ASLR without connecting with gdb after running the program and looking for the address the program was loaded to - you can try overflowing only the lower 2 bytes, as if I am not mistaken only the 2 upper bytes are randomized with ASLR, hence you only need to overflow the "offset" which is constant even with ASLR.

Here is some learning material regarding stack overflows: https://insecure.org/stf/smashstack.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes my idea was to find the offset and using thta amount to target the secret function. But I just don't know how I can give the input such that the input iis interpreted as unicode

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.