Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Need to exploit buffer overflow. Can't figure out how to uncorrupt the stack after executing exploit code?

Tags:

assembly

stack-overflow

exploit

shellcode

Basically the function I am exploiting is this:

int getbufn()
{
     char buf[512];
     Gets(buf);
     return 1;
}

When I run the main program the function executes 5 times and each time the location of buf changes and so does the location of %ebp. What I am supposed to do is place a specific hex value, lets say 0xFFFFFFFF, into a variable and the main program checks each time to see if that variable is there. If it is it executes again until all 5 times are done and the program exits quietly.

The problem I am having is that right before the check for the hex value there is a check for another value that is constant, lets say 0x12345678. If I have corrupted 0x12345678 and it's not there, the program explodes on me.

I have figured out that 0x12345678 is stored in -0x10(%ebp) so I know it is based off %ebp and I know the address of %ebp each time but I can only get the exploit to work the first time. I do this by basically nopsled-ing 496 bytes and the having this machine code in byte format:

mov  0xFFFFFFFF, %eax
movl address old ebp, %ebp
push correct return adress in function main
ret

which ends up being 5 words and a byte for return long which I fill with 0x313131 to make it 6 words long. At this point my exploit string is 520 bytes long which is exactly how much the buffer is below %ebp and so I add on the address of old ebp and an address somewhere inside my nopsled overwriting the current value at %ebp as well as the return address for getbufn.

The problem is when the program executes a 2nd time %ebp is in an address 0x10 lower than its previous address so my way of uncorrupting %ebp doesn't work and main detects that 0x12345678 is not at -0x10(%ebp). How do I uncorrupt %ebp?

like image 244
michael60612 Avatar asked Oct 12 '11 19:10

michael60612

People also ask

How can buffer overflow be exploited?

Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the program, triggering a response that damages files or exposes private information.

What is buffer overflow exploitation explain the steps how it is happening?

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory (a buffer), than the buffer is allocated to hold. By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine.

1 Answers

pmjordan is right, you should be able to calculate where %ebp is in relation to %esp. Remember, the %esp is your current stack pointer and %ebp is where your stack pointer was for the previous function. Instead of having a static %ebp, you need to have a dynamic one calculated from %esp (or really just looking at what is stored at memory located in %esp offset by the stack variables). The pseudo code would be something like:

  1. calculate the offset of %ebp from %esp
  2. read the value stored at that memory location and store for yourself
  3. do your exploit
  4. restore the old value of %ebp stored in step 2
  5. ret
like image 121
dbeer Avatar answered Oct 04 '22 19:10

dbeer
Sign in to Comment

Related questions

Assembly Performance Tuning
What kind of C++ would I have to learn to make my own OS kernel? [closed]
How to get the assembly code of a CUDA kernel?
Getting assember output from GCC/Clang in LTO mode
Why there is a number 22 in GCC's implementation of a VLA(variable-length array)?
How To Build a Hello World For Nintendo 64?
Segfault: and the disassembly is different between objdump and gdb
Why BCD instructions were removed in AMD64? [duplicate]
Combining LinkedList with String Reversal as Goal is to understand LinkedList
propagate carry bit between two ASM GCC inline block
Why can the Rust compiler not optimize away the Err arm of Box::downcast?
what is the difference between a label and a function in assembly
Why does Java compile to assembly twice? [duplicate]
objdump and ARM vs Thumb
odd compiled code
How to defeat hardware prefetcher in core i3/i7 in linux
Why don't I get performance improvement by using get_unchecked()?
Editing assembly on Mac OS X

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!