Sprintf buffer-overflow - RIP register contains garbage data


I try to exploit sprintf c function in my program which is used like this:

char line[512];
sprintf(line,"[%s]", UserCommand);

As you can see the line can be exploited and trigger something else. I found how to change rbp register but when it comes to RIP register, I can change it with "0xFFFF7FFFEBFF8C10" but I couldn't with "0x00007FFFEBFF8C10", the first 2 bytes "00 00" are replaced with 0x2D5D ( ]) which becomes 0x2D5D7FFFEBFF8C10. This address cannot lead me to my buffer where my arbitrary code reside.

The stack $rsp-100: 0x7fffebff8d94: 0xd23148f6 0x3bc08348 0xebe8050f 0x2fffffff 0x7fffebff8da4: 0x2f6e6962 0x4168732f 0x41414141 0x41414141 0x7fffebff8db4: 0x41414141 0x41414141 0x41414141 0x41414141 0x7fffebff8dc4: 0x41414141 0x41414141 0x41414141 0x41414141 0x7fffebff8dd4: 0x41414141 0x41414141 0x41414141 0x41414141 0x7fffebff8de4: 0xffffffff 0x41414141 0x0000155a 0x41414141 0x7fffebff8df4: 0x41414141 0xebff8c10 0x205d7fff 0x00000000 0x7fffebff8e04: 0x00000000 0x00bd5760 0x00000000 0x00000000

Backtrace in gdb: 0 0x00000000004093a0 in ProcessCmd (Ctx=40, Connect=27, Msg=0x7fffebff9e32 '\220' <repeats 200 times>..., Len=522) at /home/sam/srv/cmd/proc.c:305 1 0x205d7fffebff8c10 in ?? () 2 0x0000000000000000 in ?? ()


info r
rax            0xffffffff       4294967295
rbx            0x7fffebfff700   140737152808704
rcx            0x7ffff78cb1fd   140737346580989
rdx            0x919f40 9543488
rsi            0x0      0
rdi            0x919f40 9543488
rbp            0x4141414141414141       0x4141414141414141
rsp            0x7fffebff8df8   0x7fffebff8df8
r8             0x0      0
r9             0x29     41
r10            0x11     17
r11            0x0      0
r12            0x1      1
r13            0x7fffebfff9c0   140737152809408
r14            0x7fffebfff700   140737152808704
r15            0x0      0
rip            0x4093a0 0x4093a0 <ProcessCmd+407>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

I want to know if this can be exploited or not ?

Is there any way to have a valid canonical address in the RIP register and remove the 2 bytes that making my address invalid ?

Thanks in advance

asked on Stack Overflow Nov 7, 2019 by Bugger • edited Nov 8, 2019 by Bugger

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0