I'm trying to create a buffer overflow with C# for a school project:
unsafe
{
fixed (char* ptr_str = new char[6] {'H', 'a', 'l', 'l', 'o', ','})
{
fixed (char* ptr_str2 = new char[6] {'W', 'e', 'r', 'e', 'l', 'd'})
{
fixed (char* ptr_str3 = new char[6] {'!', '!', '!', '!', '!', '!'})
{
for (int i = 0; i < 8; i++)
{
ptr_str2[i] = 'a';
}
for (int i = 0; i < 6; i++)
{
this.Label2.Text += ptr_str[i];
this.Label3.Text += ptr_str2[i];
this.Label4.Text += ptr_str3[i];
}
}
}
}
}
I thought this would flood ptr_str2
and thereby overwriting chars in ptr_str
. However that does not seem to happen. It does execute but the values in ptr_str
are not overwritten.
Can anyone help with achieving this? I don't understand what I'm doing wrong.
Stack overflow is an overflow of calling stack. It is done much easier:
int Test ()
{
return Test ();
}
Console.WriteLine (Test ());
If you meant buffer overflow, there is a similar question.
The traditional attack that exploits a buffer overflow overflows a stack buffer; you are overflowing a heap buffer. It is a lot easier to see a write to one buffer smashing another buffer when they're both on the stack. Try using stackalloc instead of new char to force the allocation into the stack.
You are missing the fact that arrays are objects themselves. They have an object header like any managed reference type and a private field that stores the array size. You have to overwrite those first before you start overwriting the array elements. On a 32-bit machine, you'll start overwriting the first element of ptr_str2 with this:
for (int i = 0; i < 13; i++) {
ptr_str[i] = 'a';
}
Of course, it had to be 13.
Observe this by setting a breakpoint on the for loop. Debug + Windows + Memory + Memory 1, type "ptr_str" in the Address box. Step the code to see the memory getting changed. You'll see ptr_str2 right after that, 4 bytes for the syncblk, 4 bytes for the method table pointer and 4 bytes for the array length. 12 bytes total, 6 chars.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With