C/Ubuntu ][ Problem in Buffer Overflow logic

[Programmatore]

Hi all, it's the first time I posto something here, i usually try to
solve my problems by myself, but this time i really don't know what's
wrong. I programmed in PHP, now i was trying to approach C and
exercise with the program flow. I made this program for
demonstrational purposes, it should auto-bof himself, when returning
from function "ciao", to execute the "a" function.

Hope you can help me, this is the source

---xploitable.c---
#include <stdio.h>

int btol(int i)
{
return((i&0xff)<<24)+((i&0xff00)<<8)+((i&0xff0000)>>8)+((i>>24)
&0xff);
}

int ciao (int b) {
printf("smashing...\n");
char sou[4] = "AAAA";

memcpy((int *) (&sou+1), &b,4); // SOU/EBP/EIP
}

int a() {
printf("secret");
}

int main ( int argc, char *argv[] ) {
char sara[4];
int b = &a;
printf("function 'a' is @ 0x%x\n", b);

ciao(b);
}
---xploitable.c---

and this the output debugged with gdb...

--gdb--

g0d@g0d-desktop:~/Projects/6.Note$ gcc-3.4 -o x xploitable.c -g
xploitable.c: In function `main':
xploitable.c:21: warning: initialization makes integer from pointer
without a cast
g0d@g0d-desktop:~/Projects/6.Note$ gdb ./x -q
(gdb) break 12
Breakpoint 1 at 0x80483cc: file xploitable.c, line 12.
(gdb) break 13
Breakpoint 2 at 0x80483e9: file xploitable.c, line 13.
(gdb) run
Starting program: /home/g0d/Projects/6.Note/x
function 'a' is @ 0x80483eb
smashing...

Breakpoint 1, ciao (b=134513643) at xploitable.c:12
12 memcpy((int *) (&sou+1), &b,40);
(gdb) disass main
Dump of assembler code for function main:
0x080483ff <main+0>: push ebp
0x08048400 <main+1>: mov ebp,esp
0x08048402 <main+3>: sub esp,0x18
0x08048405 <main+6>: and esp,0xfffffff0
0x08048408 <main+9>: mov eax,0x0
0x0804840d <main+14>: add eax,0xf
0x08048410 <main+17>: add eax,0xf
0x08048413 <main+20>: shr eax,0x4
0x08048416 <main+23>: shl eax,0x4
0x08048419 <main+26>: sub esp,eax
0x0804841b <main+28>: mov DWORD PTR [ebp-0x8],0x80483eb
0x08048422 <main+35>: mov eax,DWORD PTR [ebp-0x8]
0x08048425 <main+38>: mov DWORD PTR [esp+0x4],eax
0x08048429 <main+42>: mov DWORD PTR [esp],0x8048525
0x08048430 <main+49>: call 0x80482ec <printf@plt>
0x08048435 <main+54>: mov eax,DWORD PTR [ebp-0x8]
0x08048438 <main+57>: mov DWORD PTR [esp],eax
0x0804843b <main+60>: call 0x80483b2 <ciao>
0x08048440 <main+65>: leave
0x08048441 <main+66>: ret
End of assembler dump.
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0xbffadcd8 0x08048440 0x080483eb
0xbffadcb4: 0x080483eb 0xbffadcd8 0x08048479 0xb809ff50
0xbffadcc4: 0x08048300 0x0804846b 0xb807cff4 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.

Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13
13 }
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0x080483eb 0x080483eb 0xbffadcd8
0xbffadcb4: 0x08048479 0xb809ff50 0x08048300 0x0804846b
0xbffadcc4: 0xb807cff4 0x080483eb 0x08048300 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffadcda in ?? ()
(gdb)

--gdb--

as you can see, it goes in overflow with an EIP of 0xbffadcda. I don't
know where it gets this eip, if you look at the stack after the
function continues, it seems the the EIP ( 0x08048440 ) has been
overwritten well... But it doesn't work.

I use gcc 3.4 cuz 4.1 has SSP protection. Ubuntu on 32bit, as you can
see.

Thanks in advance, pater.

 

[nicolas.sitbon]

Hi all, it's the first time I posto something here, i usually try to
solve my problems by myself, but this time i really don't know what's
wrong. I programmed in PHP, now i was trying to approach C and
exercise with the program flow. I made this program for
demonstrational purposes, it should auto-bof himself, when returning
from function "ciao", to execute the "a" function.

Hope you can help me, this is the source

---xploitable.c---
#include <stdio.h>

int btol(int i)
{
    return((i&0xff)<<24)+((i&0xff00)<<8)+((i&0xff0000)>>8)+((i>>24)
&0xff);

}

int ciao (int b) {
        printf("smashing...\n");
        char sou[4] = "AAAA";

        memcpy((int *) (&sou+1), &b,4); // SOU/EBP/EIP

}

int a() {
        printf("secret");

}

int main ( int argc, char *argv[] ) {
        char sara[4];
        int b = &a;
        printf("function 'a' is @ 0x%x\n", b);

        ciao(b);}

---xploitable.c---

and this the output debugged with gdb...

--gdb--

g0d@g0d-desktop:~/Projects/6.Note$ gcc-3.4 -o x xploitable.c -g
xploitable.c: In function `main':
xploitable.c:21: warning: initialization makes integer from pointer
without a cast
g0d@g0d-desktop:~/Projects/6.Note$ gdb ./x -q
(gdb) break 12
Breakpoint 1 at 0x80483cc: file xploitable.c, line 12.
(gdb) break 13
Breakpoint 2 at 0x80483e9: file xploitable.c, line 13.
(gdb) run
Starting program: /home/g0d/Projects/6.Note/x
function 'a' is @ 0x80483eb
smashing...

Breakpoint 1, ciao (b=134513643) at xploitable.c:12
12              memcpy((int *) (&sou+1), &b,40);
(gdb) disass main
Dump of assembler code for function main:
0x080483ff <main+0>:      push   ebp
0x08048400 <main+1>:      mov    ebp,esp
0x08048402 <main+3>:      sub    esp,0x18
0x08048405 <main+6>:      and    esp,0xfffffff0
0x08048408 <main+9>:      mov    eax,0x0
0x0804840d <main+14>:     add    eax,0xf
0x08048410 <main+17>:     add    eax,0xf
0x08048413 <main+20>:     shr    eax,0x4
0x08048416 <main+23>:     shl    eax,0x4
0x08048419 <main+26>:     sub    esp,eax
0x0804841b <main+28>:     mov    DWORD PTR [ebp-0x8],0x80483eb
0x08048422 <main+35>:     mov    eax,DWORD PTR [ebp-0x8]
0x08048425 <main+38>:     mov    DWORD PTR [esp+0x4],eax
0x08048429 <main+42>:     mov    DWORD PTR [esp],0x8048525
0x08048430 <main+49>:     call   0x80482ec <printf@plt>
0x08048435 <main+54>:     mov    eax,DWORD PTR [ebp-0x8]
0x08048438 <main+57>:     mov    DWORD PTR [esp],eax
0x0804843b <main+60>:     call   0x80483b2 <ciao>
0x08048440 <main+65>:     leave
0x08048441 <main+66>:     ret
End of assembler dump.
(gdb) x/40wx &sou
0xbffadca4:     0x41414141      0xbffadcd8      0x08048440      0x080483eb
0xbffadcb4:     0x080483eb      0xbffadcd8      0x08048479      0xb809ff50
0xbffadcc4:     0x08048300      0x0804846b      0xb807cff4      0x080483eb
0xbffadcd4:     0x08048300      0xbffadd38      0xb7f39685      0x00000001
0xbffadce4:     0xbffadd64      0xbffadd6c      0xb8091b38      0x00000001
0xbffadcf4:     0x00000001      0x00000000      0x0804820b      0xb807cff4
0xbffadd04:     0x08048460      0x08048300      0xbffadd38      0x2399c16a
0xbffadd14:     0x310c957a      0x00000000      0x00000000      0x00000000
0xbffadd24:     0xb80a5090      0xb7f395ad      0xb80adff4      0x00000001
0xbffadd34:     0x08048300      0x00000000      0x08048321      0x080483ff
(gdb) cont
Continuing.

Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13
13      }
(gdb) x/40wx &sou
0xbffadca4:     0x41414141      0x080483eb      0x080483eb      0xbffadcd8
0xbffadcb4:     0x08048479      0xb809ff50      0x08048300      0x0804846b
0xbffadcc4:     0xb807cff4      0x080483eb      0x08048300      0x080483eb
0xbffadcd4:     0x08048300      0xbffadd38      0xb7f39685      0x00000001
0xbffadce4:     0xbffadd64      0xbffadd6c      0xb8091b38      0x00000001
0xbffadcf4:     0x00000001      0x00000000      0x0804820b      0xb807cff4
0xbffadd04:     0x08048460      0x08048300      0xbffadd38      0x2399c16a
0xbffadd14:     0x310c957a      0x00000000      0x00000000      0x00000000
0xbffadd24:     0xb80a5090      0xb7f395ad      0xb80adff4      0x00000001
0xbffadd34:     0x08048300      0x00000000      0x08048321      0x080483ff
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffadcda in ?? ()
(gdb)

--gdb--

as you can see, it goes in overflow with an EIP of 0xbffadcda. I don't
know where it gets this eip, if you look at the stack after the
function continues, it seems the the EIP ( 0x08048440 ) has been
overwritten well... But it doesn't work.

I use gcc 3.4 cuz 4.1 has SSP protection. Ubuntu on 32bit, as you can
see.

Thanks in advance, pater.

try this:
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

static int ciao(uintptr_t b)
{
puts("smashing...");
uintptr_t * ret = (uintptr_t *) & ret + 3;
(*ret) = b;
}

static int a(void)
{
puts("secret");
exit(0);
}

int main(void)
{
uintptr_t b = (uintptr_t) &a;
printf("function 'a' is %p\n", (void*) a);

ciao(b);
}

 

[Programmatore]

it works fine, thanks! the only thing is

uintptr_t * ret = (uintptr_t *) & ret + 2;

not

uintptr_t * ret = (uintptr_t *) & ret + 3;

but the code works i now try to study a lil bit the differences
between our codes to figure out the problem

thanks again

 

[nicolas.sitbon]

it works fine, thanks! the only thing is

uintptr_t * ret = (uintptr_t *) & ret + 2;

not

uintptr_t * ret = (uintptr_t *) & ret + 3;

Ok my code was for the Sunstudio compiler but you're right, with GCC
it's +2 not +3.

 

[Programmatore]

Ok my code was for the Sunstudio compiler but you're right, with GCC
it's +2 not +3.

mmm... sunstudio takes another byte before the ebp and the eip? didn't
know that compilers would manage the stack in different ways...

as i know stack frame should be like this
+-----------+-----------+-----------+
| RET | EBP | EIP |
+-----------+-----------+-----------+

 

[Programmatore]

ah, last question... source: victim.c

#include <stdio.h>

void vulnerable(char *lol) {
char omg[4];

// OMG! AN UNPROTECTED STRCPY!
strcpy(omg, lol);
puts("Everything's gone pretty fine");
}

void usage() {
puts("Usage: %s TEXT-TO-COPY");
}

int main( int argc, char *argv[] ) {
if(argc==1) usage(); else vulnerable(argv[1]);
}

it should copy 4 bytes in total, so there should be enough space
allocated for a string such as "AAAA", but if i give victim a "AAAA"
string, a 0x00 overflows in the ebp... why? and also... why if the ebp
is overwritten, memory goes in stack segmentation fault? the eip
shouldn't be affected by ebp address... or should it?

(gdb) run AAA
Starting program: /home/g0d/Projects/7.BOF/victim AAAA

Breakpoint 1, vulnerable (lol=0xbf86c732 "AAAA") at victim.c:7
7 strcpy(omg, lol);
(gdb) x/20x &omg-4
0xbf86a574: 0x080495d8 0xbf86a588 0x080482a8 0xb7f3bff4
0xbf86a584: 0x080495d8 0xbf86a5a8 0x080483ef 0xbf86c732
0xbf86a594: 0x08048300 0x0804841b 0xb7f3bff4 0x08048410
0xbf86a5a4: 0x08048300 0xbf86a608 0xb7df8685 0x00000002
0xbf86a5b4: 0xbf86a634 0xbf86a640 0xb7f50b38 0x00000001
(gdb) cont
Continuing.

Breakpoint 2, vulnerable (lol=0xbf86c732 "AAAA") at victim.c:8
8 puts("Everything's gone pretty fine");
(gdb) x/20x &omg-4
0xbf86a574: 0xbf86c732 0xbf86a588 0x080482a8 0xb7f3bff4
0xbf86a584: 0x00414141 0xbf86a5a8 0x080483ef 0xbf86c732
0xbf86a594: 0x08048300 0x0804841b 0xb7f3bff4 0x08048410
0xbf86a5a4: 0x08048300 0xbf86a608 0xb7df8685 0x00000002
0xbf86a5b4: 0xbf86a634 0xbf86a640 0xb7f50b38 0x00000001

(gdb) run AAAA
Starting program: /home/g0d/Projects/7.BOF/victim AAAA

Breakpoint 1, vulnerable (lol=0xbf86c732 "AAAA") at victim.c:7
7 strcpy(omg, lol);
(gdb) x/20x &omg-4
0xbf86a574: 0x080495d8 0xbf86a588 0x080482a8 0xb7f3bff4
0xbf86a584: 0x080495d8 0xbf86a5a8 0x080483ef 0xbf86c732
0xbf86a594: 0x08048300 0x0804841b 0xb7f3bff4 0x08048410
0xbf86a5a4: 0x08048300 0xbf86a608 0xb7df8685 0x00000002
0xbf86a5b4: 0xbf86a634 0xbf86a640 0xb7f50b38 0x00000001
(gdb) cont
Continuing.

Breakpoint 2, vulnerable (lol=0xbf86c732 "AAAA") at victim.c:8
8 puts("Everything's gone pretty fine");
(gdb) x/20x &omg-4
0xbf86a574: 0xbf86c732 0xbf86a588 0x080482a8 0xb7f3bff4
0xbf86a584: 0x41414141 0xbf86a500 0x080483ef 0xbf86c732
0xbf86a594: 0x08048300 0x0804841b 0xb7f3bff4 0x08048410
0xbf86a5a4: 0x08048300 0xbf86a608 0xb7df8685 0x00000002
0xbf86a5b4: 0xbf86a634 0xbf86a640 0xb7f50b38 0x00000001

 

[nicolas.sitbon]

mmm... sunstudio takes another byte before the ebp and the eip? didn't
know that compilers would manage the stack in different ways...

as i know stack frame should be like this
+-----------+-----------+-----------+
|    RET    |   EBP     |     EIP   |
+-----------+-----------+-----------+

I think it's a canary.