-1

I am trying to simulate buffer overflow on my mac, but it keeps getting segmentation fault even with -fno-stack-protector.

Below is the output I get.

Vulnerable function executed!
data:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
zsh: segmentation fault

I compiled and ran using the below command. gcc -o sql_slammer slammer.c -fno-stack-protector -D_FORTIFY_SOURCE=0 -Wl && ./sql_slammer Below is my code for reference.

#include <stdio.h>
#include <string.h>

#define BUFFER_SIZE 27

void malicious_function()
{
    printf("Malicious code executed!\n");
    // Insert your malicious code here
}

void vulnerable_function(char *data)
{
    char buffer[BUFFER_SIZE];
    printf("Vulnerable function executed!\n");
    printf("data:%s\n", data);
    sprintf(buffer, "%s", data); // Vulnerable sprintf() call

    // Create a function pointer and set it to the address of the malicious function
    void (*function_ptr)() = &malicious_function;

    // Overwrite the return address with the address of the malicious function
    // This assumes little-endian architecture where addresses are stored in reverse order
    memcpy(buffer + BUFFER_SIZE - sizeof(void *), &function_ptr, sizeof(void *));
}

int main()
{
    char packet[] = "\x04"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41"
                    "\x41";

    vulnerable_function(packet);

    return 0;
}

I read other stackoverflow posts related to this and tried the solution, but it didn't work for me. I included compiler flags such as -O0 and -fno-stack-protector. I also tried running it on Windows.

Improve this question
4
  • 2
    So evidently packet, which becomes data, of length 44, was too long for buffer, of length 27. Why are you surprised? Commented Apr 18, 2024 at 10:11
  • i want buffer overflow to happen and overwrite the return address on the stack with the address of malicious function. Commented Apr 18, 2024 at 10:34
  • 2
    That's the thing with undefined behavior - there's no particular guaranteed outcome. Why these kind of exercises tend to end up somewhere between fruitless and pointless. Commented Apr 18, 2024 at 10:40
  • 2
    You can't get the buffer overflow you want until you get rid of the buffer overflow you don't want, that is happening before the buffer overflow that you do want. Surely this is obvious? Commented Apr 18, 2024 at 10:40

1 Answer 1

Reset to default
0

You store the address of malicious_function() within the legally allocated memory space of buffer[]: memcpy(buffer + BUFFER_SIZE - sizeof(void *), ..., sizeof(void *)); This will only cause problems if later code expects null-terminated strings there.

In contrast, your sprintf() call causes a destructive overwrite on the stack. When exiting from vulnerable_function() it may try to return to address 0x41414141. I think this triggers your segmentation fault.

To exploit vulnerable_function() you have to feed in a very specially crafted evil string

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.