Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Understanding and doing Code Injection in C

Tags:

c

I am a bit confused in the idea of code injection in C. If somebody could explain it and show how its done I would appreciate it.

So lets say in C you have some Char array of size 512 which is being written to the contents of a socket of length 1024, and that char array now holds some sort of code but only half of what was written.

How is the malicious code executed in a buffer overflow, I think I am confused on the process structure(stack, heap, data, text).

like image 379
Recursion Avatar asked Nov 15 '09 23:11

Recursion

2 Answers

The general trick has to do with how the program's code and variables are layed out in memory. For example, when a function is called the program (code inserted by the compiler) must store the address of the instruction to return to. So if this is the 32 bit word just before the beginning of the stack, one could do:

 void foo()
 {
    int array[5];
    int var = 0;
    int var2 = 0;

    // read in user input
    printf("Enter index and value to write:");
    scanf("%i", var);
    scanf("%i", var2);

    // malicious user might set var to -1 and var2 to an address to execute
    // if say the 32-bit value before the stack variables is the instruction to
    // return to
    array[var] = var2

    // return now goes to malicious code
 }

(So your job is to construct code so that such a thing is not possible. :) )

The rules for how a function call is implemented, stack variables allocated, values passed, and return values returned back is called the calling convention. I reccomend reading the attached article for a good indepth coverage of C calling conventionts.

like image 104
Doug T. Avatar answered Sep 28 '22 06:09

Doug T.

If you allocate a buffer on the stack, and it overflows, it writes onto the stack. The stack contains the return pointer for the function that allocated the buffer. So, if you overflow a buffer on the stack, you can set the return pointer to something arbitrary; thereby giving you control of the thread of execution.

As to actually injecting the code, that depends. The stack - or rather, the page containing it - is often set not to allow code execution; but historically it would have been possible to store small malicious programs in the buffer itself on the stack. Return oriented programming is a fairly new variant of the return-to-libc attack, both of which work around NX bits.

like image 42
Kevin Montrose Avatar answered Sep 28 '22 08:09

Kevin Montrose
Sign in to Comment

Related questions

Is there a reason why an array name is not an lvalue?
What additional purpose can ai_protocol serve in hints while calling getaddrinfo() when ai_socktype is already specified?
gdb terminated with signal ?, unknown signal
How to declare pointer to array of structs in C [duplicate]
How do I convert a Go array of strings to a C array of strings?
Is the second int in a multiple declaration always set to 1?
Is multi-thread memory access faster than single threaded memory access?
Check if a system implements a function
Strict aliasing and overlay inheritance
What is this C idiom (if (1))?
Can LTO for gcc or clang optimize across C and C++ methods
Suppress messages from underlying C-function in R
SDL_WINDOWEVENT_RESIZED vs SDL_WINDOWEVENT_SIZE_CHANGED
Why does %f print large values when floating point constants are passed instead of variables?
Is leaving debug sections in the source code a good practise? [closed]
Can I program an ingenico/verifone terminal to do whatever I want?
Cross-platform alternative to COM
Tried and true simple file copying code in C?
mkfifo file permissions not being executed correctly
Why doesn't the compiler detect out-of-bounds in string constant initialization?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!