Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

For buffer overflows, what is the stack address when using pthreads?

Tags:

c

stack

pthreads

buffer-overflow

memory-address

I'm taking a class in computer security and there is an extra credit assignment to insert executable code into a buffer overflow. I have the c source code for the target program I'm trying to manipulate, and I've gotten to the point where I can successfully overwrite the eip for the current function stack frame. However, I always get a Segmentation fault, because the address I supply is always wrong. The problem is that the current function is inside a pthread, and therefore, the address of the stack seems to always change between different runs of the program. Is there any method for finding the stack address within a pthread (or for estimating the stack address within a pthread)? (note: pthread_create's 2nd argument is null, so we're not manually assigning a stack address)

like image 467
t2k32316 Avatar asked Jan 22 '23 11:01

t2k32316

1 Answers

I suggest reading the excellent (if a bit dated) article/tutorial on exploiting buffer overflow vulnerabilities Smashing The Stack For Fun And Profit.

Here's a brief excerpt:

The problem is that we don't know where in the memory space of the program we are trying to exploit the code (and the string that follows it) will be placed. One way around it is to use a JMP, and a CALL instruction. The JMP and CALL instructions can use IP relative addressing, which means we can jump to an offset from the current IP without needing to know the exact address of where in memory we want to jump to.

You can retrieve the current value of the stack pointer with a bit of inline assembly. All the examples in Smashing The Stack For Fun And Profit overflow a buffer in main, but you can just as easily use the same techniques to overflow a buffer in a function called from a pthread. The code below is built on an example from the article (overflow1.c) to show that the same techniques will work using pthreads. The actual technique you will use will depend on the target program you are trying to exploit.


/* get value of sp off the stack - not essential to example */
unsigned long get_sp()
{
   __asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int foo()
{
   char buffer[96];

   /* overflow buffer to overwrite return address */
   /* and place code to be executed into buffer. */
   ...

   return 0;
}

void *thread(void *arg)
{
   printf("thread stack 0x%x\n", get_sp()); 

   foo();   

   return NULL;
}

int main(int argc, char **argv) 
{
   printf("main stack 0x%x\n", get_sp());   

   pthread_t t;
   pthread_create(&t, NULL, thread, NULL);
   pthread_join(t, NULL);

   return 0;
}
like image 163
jschmier Avatar answered Feb 14 '23 11:02

jschmier
Sign in to Comment

Related questions

Canny Edge Detector in C
What does readlink systemcall do?
What's your deep comprehension of pointer,reference and Handle in C,C++ and Java?
getline over a socket
linux threads and fopen() fclose() fgets()
What is a better method for packing 4 bytes into 3 than this?
GDB debugger problems - No source file named
Implementing DHCP client
ETXTBSY and how to override it
Continue running program until user type Ctrl + a
How do I get a program using getchar to run?
which language is better for packet capturing and processing
How does scanf() really work?
Php: creating functions in a for () loop
C Programming - Convert an integer to binary
Regex for string using GNU C regex library
Cscope problem - Search results invisible
UTC to Time of the day in ANSI C?
-isysroot or SDKROOT problem
How stupid it is to use an integer value a key for an Hash Table?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!