Menu
I got a homework assignment asking me to invoke a function without explicitly calling it, using buffer overflow. The code is basically this:
#include <stdio.h> #include <stdlib.h> void g() { printf("now inside g()!\n"); } void f() { printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) } int main (int argc, char *argv[]) { f(); return 0; } Though I'm not sure how to proceed. I thought about changing the return address for the program counter so that it'll proceed directly to the address of g(), but I'm not sure how to access it. Anyway, tips will be great.
615
Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the program, triggering a response that damages files or exposes private information.
Also known as a buffer overrun, buffer overflow occurs when the amount of data in the buffer exceeds its storage capacity. That extra data overflows into adjacent memory locations and corrupts or overwrites the data in those locations.
In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function's return pointer.
When the amount of allocated data exceeds the capacity of the buffer, the extra data will overflow -- hence the name buffer overflow. This may cause data to leak out into other buffers, which can then corrupt or overwrite their contents. In a buffer overflow attack, a malicious actor exploits vulnerable software.
The basic idea is to alter the function's return address so that when the function returns is continues to execute at a new hacked address. As done by Nils in one of the answers, you can declare a piece of memory (usually array) and overflow it in such a way that the return address is overwritten as well.
I would suggest you to not blindly take any of the programs given here without actually understanding how they work. This article is very well written and you'll find it very useful:
A step-by-step on the buffer overflow vulnerablity
83
That is compiler dependent, so no single answer can be given.
The following code will do what you want for gcc 4.4.1. Compile with optimizations disabled (important!)
#include <stdio.h> #include <stdlib.h> void g() { printf("now inside g()!\n"); } void f() { int i; void * buffer[1]; printf("now inside f()!\n"); // can only modify this section // cant call g(), maybe use g (pointer to function) // place the address of g all over the stack: for (i=0; i<10; i++) buffer[i] = (void*) g; // and goodbye.. } int main (int argc, char *argv[]) { f(); return 0; } Output:
nils@doofnase:~$ gcc overflow.c nils@doofnase:~$ ./a.out now inside f()! now inside g()! now inside g()! now inside g()! now inside g()! now inside g()! now inside g()! Segmentation fault If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
