7

I'm trying to create a buffer overflow with C# for a school project:

unsafe
{
    fixed (char* ptr_str = new char[6] {'H', 'a', 'l', 'l', 'o', ','})
    {
        fixed (char* ptr_str2 = new char[6] {'W', 'e', 'r', 'e', 'l', 'd'})
        {
            fixed (char* ptr_str3 = new char[6] {'!', '!', '!', '!', '!', '!'})
            {
                for (int i = 0; i < 8; i++)
                {
                    ptr_str2[i] = 'a';
                }

                for (int i = 0; i < 6; i++)
                {
                    this.Label2.Text += ptr_str[i];
                    this.Label3.Text += ptr_str2[i];
                    this.Label4.Text += ptr_str3[i];
                }
            }
        }
    }
}

I thought this would flood ptr_str2 and thereby overwriting chars in ptr_str. However that does not seem to happen. It does execute but the values in ptr_str are not overwritten.

Can anyone help with achieving this? I don't understand what I'm doing wrong.

Improve this question
4
  • 1
    I guess you could start with ASP .NET MVC 2 project... Commented Feb 5, 2011 at 12:29
  • 2
    We're trying to avoid them, you're trying to make one... Strange world we live in. Commented Feb 5, 2011 at 12:31
  • 6
    This would be a buffer overflow, not a stack overflow. Commented Feb 5, 2011 at 12:31
  • Yep I meant a buffer overflow... Commented Feb 5, 2011 at 12:36

4 Answers 4

Reset to default
6

Stack overflow is an overflow of calling stack. It is done much easier:

int Test ()
{
    return Test ();
}

Console.WriteLine (Test ());

If you meant buffer overflow, there is a similar question.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yes I meant a buffer flow where you overwrite a variable on the stack and not on the heap.
Yes that's overflowing heap variables (structs). I would like to know how it can be done with stack variables. Where ptr_str2 overwrites ptr_str instead of ptr_str2 overwriting ptr_str3.
6

The traditional attack that exploits a buffer overflow overflows a stack buffer; you are overflowing a heap buffer. It is a lot easier to see a write to one buffer smashing another buffer when they're both on the stack. Try using stackalloc instead of new char to force the allocation into the stack.

Improve this answer

2 Comments

Thanks for your advice. I was already thinking I understood something wrong. I'm gonna check out stackalloc.
Except stackalloc won't actually let you overflow the buffer though :)
5

You are missing the fact that arrays are objects themselves. They have an object header like any managed reference type and a private field that stores the array size. You have to overwrite those first before you start overwriting the array elements. On a 32-bit machine, you'll start overwriting the first element of ptr_str2 with this:

                        for (int i = 0; i < 13; i++) {
                            ptr_str[i] = 'a';
                        }

Of course, it had to be 13.

Observe this by setting a breakpoint on the for loop. Debug + Windows + Memory + Memory 1, type "ptr_str" in the Address box. Step the code to see the memory getting changed. You'll see ptr_str2 right after that, 4 bytes for the syncblk, 4 bytes for the method table pointer and 4 bytes for the array length. 12 bytes total, 6 chars.

Improve this answer

6 Comments

Hey this an amazingly good tip. I had not found the memory window yet.. :P But now I see that I needed to overwrite the ptr_str3 sequence... Little mistake. Now I've got to check how I can overwrite the header values without causing a crash.
Hmm, don't go there. The next garbage collection is going to re-arrange the arrays. They'll stay adjacent in memory only by accident.
Hmm... alright but isn't the garbage only collected when the array isn't needed anymore?? The undermentioned seems to do the trick. for (int i = 0; i < 36; i++) { if (i == 6) i += 24; ptr_str2[i] = 'a'; }
The garbage collector also compacts the heap. Which moves objects.
Ah alright but I thought when you use fixed it stays in the same location of memory..?
|
0

You do not seem to be making a Stackoverflow here - you aren't really using the stack at all. You seem instead to be trying to create a buffer overflow, I assume thinking that unsafe C# is like C, which it is similar but with several important differences.

A stackoverflow can be made simply:

public void Stackoverflow()
{
    Stackoverflow();
}

and then by calling Stackoverflow() somewhere.

Improve this answer

3 Comments

Little fix: return Stackoverflow () or else make it void.
But if you're executing (safe) int i = 99; you're using the stack right?
What probably should have said is you are using the stack but not massively increasing it's size (you actually use the stack for every operation in the .NET VM). As such it won't cause a StackOverflow. But you are looking for a buffer overflow anyhow.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.