Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to replace the return address on the stack using a buffer overflow attack

For a homework assignment, I am performing a series of buffer overflow attacks. I was given a program to disassemble, the source code in C for a function that improperly calls gets(), and the source code for several other functions that I am supposed to force the program to call. For one of the tasks, I have to:

  • Inject some code that changes a value, then
  • Return to one of the aforementioned methods

The main thing that I don't understand where the program looks in the stack when determining where to return. Where is the return address for a method stored on the stack?

The program was compiled for x86.

like image 874
Kevin Avatar asked Dec 12 '22 21:12

Kevin


1 Answers

What you need to know:

  • EIP is a register that points at the next instruction to execute.
  • When calling a function, the arguments and then EIP (so the called function knows where to return to) are saved on the stack.

  • When the compiler has been told (explicitly or implicitly) to use frame pointers, it then saves the frame pointer (in the EBP register) on the stack (so it can later restore the frame pointer to the value it had on the calling function), and then sets the frame pointer to point to the current top of the stack. This allows accessing easily arguments and local variables from a known point of reference (the frame pointer), and greatly simplifies debugging.

  • Then, space is reserved for local variables, and the function is executed.
  • When returning from the function, the previous frame pointer and instruction pointer are restored.

A function call on x86 looks something like:

                                        ...
int main()                              add  $-0x8,%esp ; alignment
{                                       push $0x2       ; arg 2
        ...                             push $0x1       ; arg 1
        func(1, 2);                     call func       ; function call
        ...                             add  $0x10,%esp ; pop args from stack
}                                       ...

And the called function looks something like:

void func(int arg1, int arg2)           push %ebp       ;\
{                                       mov  %esp,%ebp  ;/ create stack frame
        int local1;                     sub  $0x18,%esp ; reserves space
        ...                             ...
}                                       mov  %ebp,%esp  ;\
                                        pop  %ebp       ;/ destroys frame
                                        ret             ; returns

So, the stack will look similar to:

          :           :
          +-----------+
          : alignment :
          +-----------+
12(%ebp)  |   arg2    |
          +-----------+
 8(%ebp)  |   arg1    |
          +-----------+
 4(%ebp)  |    ret    | -----> return address
          +-----------+
  (%ebp)  |    ebp    | -----> previous ebp
          +-----------+
-4(%ebp)  |  local1   | -----> local vars
          +-----------+
          : alignment :
          +-----------+
          :           :

(Lower addresses are lower on the ASCII-art)

like image 200
ninjalj Avatar answered Dec 28 '22 08:12

ninjalj