0

I have a project in my CS course that is centered around buffer overflow attacks.

I'm having a difficult time fully comprehending the topic.

Say I have the following function:

08048cc5 <getbuf>:
 8048cc5:   55                      push   %ebp
 8048cc6:   89 e5                   mov    %esp,%ebp
 8048cc8:   83 ec 38                sub    $0x38,%esp
 8048ccb:   8d 45 d8                lea    -0x28(%ebp),%eax
 8048cce:   89 04 24                mov    %eax,(%esp)
 8048cd1:   e8 32 01 00 00          call   8048e08 <Gets>
 8048cd6:   b8 01 00 00 00          mov    $0x1,%eax
 8048cdb:   c9                      leave
 8048cdc:   c3                      ret

Currently it returns to this function:

08048c53 <test>:
 8048c53:   55                      push   %ebp
 8048c54:   89 e5                   mov    %esp,%ebp
 8048c56:   83 ec 28                sub    $0x28,%esp
 8048c59:   e8 63 04 00 00          call   80490c1 <uniqueval>
 8048c5e:   89 45 f0                mov    %eax,-0x10(%ebp)
 8048c61:   e8 5f 00 00 00          call   8048cc5 <getbuf>
 8048c66:   89 45 f4                mov    %eax,-0xc(%ebp)
 8048c69:   e8 53 04 00 00          call   80490c1 <uniqueval>
 8048c6e:   8b 55 f0                mov    -0x10(%ebp),%edx
 8048c71:   39 d0                   cmp    %edx,%eax
 8048c73:   74 0e                   je     8048c83 <test+0x30>
 8048c75:   c7 04 24 f0 a3 04 08    movl   $0x804a3f0,(%esp)
 8048c7c:   e8 9f fc ff ff          call   8048920 <puts@plt>
 8048c81:   eb 40                   jmp    8048cc3 <test+0x70>
 8048c83:   8b 55 f4                mov    -0xc(%ebp),%edx
 8048c86:   a1 20 e1 04 08          mov    0x804e120,%eax
 8048c8b:   39 c2                   cmp    %eax,%edx
 8048c8d:   75 21                   jne    8048cb0 <test+0x5d>
 8048c8f:   8b 45 f4                mov    -0xc(%ebp),%eax
 8048c92:   89 44 24 04             mov    %eax,0x4(%esp)
 8048c96:   c7 04 24 19 a4 04 08    movl   $0x804a419,(%esp)
 8048c9d:   e8 ae fb ff ff          call   8048850 <printf@plt>
 8048ca2:   c7 04 24 03 00 00 00    movl   $0x3,(%esp)
 8048ca9:   e8 a0 07 00 00          call   804944e <validate>
 8048cae:   eb 13                   jmp    8048cc3 <test+0x70>
 8048cb0:   8b 45 f4                mov    -0xc(%ebp),%eax
 8048cb3:   89 44 24 04             mov    %eax,0x4(%esp)
 8048cb7:   c7 04 24 36 a4 04 08    movl   $0x804a436,(%esp)
 8048cbe:   e8 8d fb ff ff          call   8048850 <printf@plt>
 8048cc3:   c9                      leave
 8048cc4:   c3                      ret

Instead of returning to test() I want to cause a buffer overflow that causes getbuf() to return to the following function:

08048b7d <smoke>:
 8048b7d:   55                      push   %ebp
 8048b7e:   89 e5                   mov    %esp,%ebp
 8048b80:   83 ec 18                sub    $0x18,%esp
 8048b83:   c7 04 24 50 a3 04 08    movl   $0x804a350,(%esp)
 8048b8a:   e8 91 fd ff ff          call   8048920 <puts@plt>
 8048b8f:   c7 04 24 00 00 00 00    movl   $0x0,(%esp)
 8048b96:   e8 b3 08 00 00          call   804944e <validate>
 8048b9b:   c7 04 24 00 00 00 00    movl   $0x0,(%esp)
 8048ba2:   e8 99 fd ff ff          call   8048940 <exit@plt>

So we have another program called HEX2RAW that converts a HEX value into a raw string that we will input into the program (and into the buffer).

Does that mean the HEX value needs to include a ret instruction and the address of smoke()? Or just solely the return address?

How do I know the size of the buffer that I will be overflowing? How do I know how far I need to overflow to reach the return instruction on the stack?

You can see my thoughts are slightly scrambled on the topic, so any clarification would be awesome!

Improve this question
2
  • Why is this tagged 'c'?! Commented Oct 14, 2015 at 14:06
  • the program is written in c Commented Oct 14, 2015 at 15:00

1 Answer 1

Reset to default
5

You can see that the address passed to gets is -0x28(%ebp). Since the return address is at 4(%ebp) you need to input 44 bytes of padding followed by the required address. The ret instruction of course should not be entered, since that does not go onto the stack and is already in the code. That's what is going to pop the overwritten return address.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Could you correct me if I'm wrong here? I have the address smoke() = 8048b7d then if I add 44 Bytes to that I get 8048ba9. Is this correct? Because I'm unable to get it to work, though I may have an error in my hex2raw program. My hex2raw program is returning the string "8048;:9"
correction #2, hex2raw returns string "^H^D<8c>Ý" => I believe this is properly functioning, so my theory is wrong somewhere
You do not need to add anything numerically, you need to insert 44 bytes of padding before the address. So your string could look something like AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^H^D<8c>Ý" =>
This is giving me a segmentation fault. Any idea what this means? From a quick search it looks like it means the address is non-executable, but this makes no sense because I know the address must be executable (it's a function)
Look at where the fault is, and also verify the hex2raw (I just copied yours as an example, haven't checked it!)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.