Ok so I am trying to learn about buffer overflows and there is this simple program that is vulnerable of a BoF because it copies the first argument into a buffer of 5 characters. In the source code, there is a function called bar that never gets called by the program. My goal was to overflow the buffer and run that function.
So I loaded it up into gdb and I typed disass bar. the first few lines look like this:
(gdb) disas bar
Dump of assembler code for function bar:
0x0000000000400988 <+0>: push %rbp
So basically, all I have to do is put the address 0x00400988 into the end of the overflowed buffer. I calculated the return address to be 36 bytes past when I overflow the variable.
So in GDB i used the command set args $(perl -e 'print "A" x 36 . "\x88\x09\x40\x00"')
I set a breakpoint right after the strcpy was run and examined what 20 words of rsp looked like:
(gdb) x/40xw $rsp
0x7fffffffe240: 0xffffe358 0x00007fff 0x00000000 0x00000003
0x7fffffffe250: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe260: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe270: 0x41414141 0x00000088 0xf7a54b45 0x00007fff
0x7fffffffe280: 0x00000000 0x00000000 0xffffe358 0x00007fff
My issue is that the return address is not copying correctly. As you can see, it only copies the hex value 88 (and i guess the 00 in the beginning of the buffer.
This is what I have tried so far: I have tried to recompile and check if it was an issue with the address being returned to.
I have tried to change the hex values of the address to random values and that seems to copy. For example, I tried to copy in the values 0x85af4709 into that location and it worked. In fact, I found out that the 09 in the original address is what is causing the issue. For example, I am able to make the address 0x00400788 but it cant be 0x00400788.
That being said, I found out that 07 in ascii is a bell, which can be written as \a. Even if I did that, i got the original issue.
After that, I tried adjusting the amount of "A"s I would copy into the buffer to see if that did anyhting. it didnt.
I even tried to write the string out when typing run in gdb
Then, I googled this issue and found a really good example of exactly what i was trying to do. I used the sample program on page 32 of this article: https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture21.pdf
To my suprise, exactly what I was doing in my program worked exactly as I intended it to work in the authors sample program.
As a conclusion, I was wondering if someone would be able to explain why that one position in the address can contain any hex value except the one I want to copy into it. In addition to that, I wan't to know how I can fix this.
If you would like any additional info id be more than happy to give it to you
User contributions licensed under CC BY-SA 3.0