Ciao a tutti... volevo esercitarmi un pò con l'overflow del buffer, ma proprio non ci riesco... Nel mio ubuntu avevo la stack smashing protection ( gcc 4.1 ) così sono passato a gcc 3.4... ma ancora non riesco a cavarne fuori niente...
in questo file prendo l'indirizzo di una funzione per cercare di sovrascrivere l'eip, accedendo alla suddetta funzione che mostra un messaggio di conferma... però non riesco a sovrascrivere l'eip...
questo è il mio codice... in alto c'ho una funzione per il passaggio da big-endian a little-endian... pensavo che mi servisse, invece il compilatore lo scambia in auto.
codice:#include <stdio.h> int btol(int i) { return((i&0xff)<<24)+((i&0xff00)<<8)+((i&0xff0000)>>8)+((i>>24)&0xff); } int ciao (int b) { printf("smashing...\n"); char sou[4] = "AAAA"; memcpy((int *) (&sou+1), &b,16); } int a() { printf("secret"); } int main ( int argc, char *argv[] ) { char sara[4]; int b = &a; printf("function 'a' is @ 0x%x\n", b); ciao(b); }In grassetto vedete l'eip... sia nel disassembler che nello stack. con il memcpy vedete che lo sovrascrivo... ma allora, perchè dà il segmentation fault nell'indirizzo 0xbffadcda??? che tra l'altro manco c'è nello stack?codice:g0d@g0d-desktop:~/Projects/6.Note$ gcc-3.4 -o x xploitable.c -g xploitable.c: In function `main': xploitable.c:21: warning: initialization makes integer from pointer without a cast g0d@g0d-desktop:~/Projects/6.Note$ gdb ./x -q (gdb) break 12 Breakpoint 1 at 0x80483cc: file xploitable.c, line 12. (gdb) break 13 Breakpoint 2 at 0x80483e9: file xploitable.c, line 13. (gdb) run Starting program: /home/g0d/Projects/6.Note/x function 'a' is @ 0x80483eb smashing... Breakpoint 1, ciao (b=134513643) at xploitable.c:12 12 memcpy((int *) (&sou+1), &b,40); (gdb) disass main Dump of assembler code for function main: 0x080483ff <main+0>: push ebp 0x08048400 <main+1>: mov ebp,esp 0x08048402 <main+3>: sub esp,0x18 0x08048405 <main+6>: and esp,0xfffffff0 0x08048408 <main+9>: mov eax,0x0 0x0804840d <main+14>: add eax,0xf 0x08048410 <main+17>: add eax,0xf 0x08048413 <main+20>: shr eax,0x4 0x08048416 <main+23>: shl eax,0x4 0x08048419 <main+26>: sub esp,eax 0x0804841b <main+28>: mov DWORD PTR [ebp-0x8],0x80483eb 0x08048422 <main+35>: mov eax,DWORD PTR [ebp-0x8] 0x08048425 <main+38>: mov DWORD PTR [esp+0x4],eax 0x08048429 <main+42>: mov DWORD PTR [esp],0x8048525 0x08048430 <main+49>: call 0x80482ec <printf@plt> 0x08048435 <main+54>: mov eax,DWORD PTR [ebp-0x8] 0x08048438 <main+57>: mov DWORD PTR [esp],eax 0x0804843b <main+60>: call 0x80483b2 <ciao> 0x08048440 <main+65>: leave 0x08048441 <main+66>: ret End of assembler dump. (gdb) x/40wx &sou 0xbffadca4: 0x41414141 0xbffadcd8 0x08048440 0x080483eb 0xbffadcb4: 0x080483eb 0xbffadcd8 0x08048479 0xb809ff50 0xbffadcc4: 0x08048300 0x0804846b 0xb807cff4 0x080483eb 0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001 0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001 0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4 0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a 0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000 0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001 0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff (gdb) cont Continuing. Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13 13 } (gdb) x/40wx &sou 0xbffadca4: 0x41414141 0x080483eb 0x080483eb 0xbffadcd8 0xbffadcb4: 0x08048479 0xb809ff50 0x08048300 0x0804846b 0xbffadcc4: 0xb807cff4 0x080483eb 0x08048300 0x080483eb 0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001 0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001 0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4 0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a 0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000 0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001 0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0xbffadcda in ?? () (gdb)
non riesco a capire dove sbaglio... potete aiutarmi?
