Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

For buffer overflows, what is the stack address when using pthreads?

I'm taking a class in computer security and there is an extra credit assignment to insert executable code into a buffer overflow. I have the c source code for the target program I'm trying to manipulate, and I've gotten to the point where I can successfully overwrite the eip for the current function stack frame. However, I always get a Segmentation fault, because the address I supply is always wrong. The problem is that the current function is inside a pthread, and therefore, the address of the stack seems to always change between different runs of the program. Is there any method for finding the stack address within a pthread (or for estimating the stack address within a pthread)? (note: pthread_create's 2nd argument is null, so we're not manually assigning a stack address)

like image 467
t2k32316 Avatar asked Jan 22 '23 11:01

t2k32316


1 Answers

I suggest reading the excellent (if a bit dated) article/tutorial on exploiting buffer overflow vulnerabilities Smashing The Stack For Fun And Profit.

Here's a brief excerpt:

The problem is that we don't know where in the memory space of the program we are trying to exploit the code (and the string that follows it) will be placed. One way around it is to use a JMP, and a CALL instruction. The JMP and CALL instructions can use IP relative addressing, which means we can jump to an offset from the current IP without needing to know the exact address of where in memory we want to jump to.


You can retrieve the current value of the stack pointer with a bit of inline assembly. All the examples in Smashing The Stack For Fun And Profit overflow a buffer in main, but you can just as easily use the same techniques to overflow a buffer in a function called from a pthread. The code below is built on an example from the article (overflow1.c) to show that the same techniques will work using pthreads. The actual technique you will use will depend on the target program you are trying to exploit.


/* get value of sp off the stack - not essential to example */
unsigned long get_sp()
{
   __asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int foo()
{
   char buffer[96];

   /* overflow buffer to overwrite return address */
   /* and place code to be executed into buffer. */
   ...

   return 0;
}

void *thread(void *arg)
{
   printf("thread stack 0x%x\n", get_sp()); 

   foo();   

   return NULL;
}

int main(int argc, char **argv) 
{
   printf("main stack 0x%x\n", get_sp());   

   pthread_t t;
   pthread_create(&t, NULL, thread, NULL);
   pthread_join(t, NULL);

   return 0;
}
like image 163
jschmier Avatar answered Feb 14 '23 11:02

jschmier