Ciao a tutti... volevo esercitarmi un pò con l'overflow del buffer, ma proprio non ci riesco... Nel mio ubuntu avevo la stack smashing protection ( gcc 4.1 ) così sono passato a gcc 3.4... ma ancora non riesco a cavarne fuori niente...
in questo file prendo l'indirizzo di una funzione per cercare di sovrascrivere l'eip, accedendo alla suddetta funzione che mostra un messaggio di conferma... però non riesco a sovrascrivere l'eip...
questo è il mio codice... in alto c'ho una funzione per il passaggio da big-endian a little-endian... pensavo che mi servisse, invece il compilatore lo scambia in auto.
codice:
#include <stdio.h>
int btol(int i)
{
return((i&0xff)<<24)+((i&0xff00)<<8)+((i&0xff0000)>>8)+((i>>24)&0xff);
}
int ciao (int b) {
printf("smashing...\n");
char sou[4] = "AAAA";
memcpy((int *) (&sou+1), &b,16);
}
int a() {
printf("secret");
}
int main ( int argc, char *argv[] ) {
char sara[4];
int b = &a;
printf("function 'a' is @ 0x%x\n", b);
ciao(b);
}
codice:
g0d@g0d-desktop:~/Projects/6.Note$ gcc-3.4 -o x xploitable.c -g
xploitable.c: In function `main':
xploitable.c:21: warning: initialization makes integer from pointer without a cast
g0d@g0d-desktop:~/Projects/6.Note$ gdb ./x -q
(gdb) break 12
Breakpoint 1 at 0x80483cc: file xploitable.c, line 12.
(gdb) break 13
Breakpoint 2 at 0x80483e9: file xploitable.c, line 13.
(gdb) run
Starting program: /home/g0d/Projects/6.Note/x
function 'a' is @ 0x80483eb
smashing...
Breakpoint 1, ciao (b=134513643) at xploitable.c:12
12 memcpy((int *) (&sou+1), &b,40);
(gdb) disass main
Dump of assembler code for function main:
0x080483ff <main+0>: push ebp
0x08048400 <main+1>: mov ebp,esp
0x08048402 <main+3>: sub esp,0x18
0x08048405 <main+6>: and esp,0xfffffff0
0x08048408 <main+9>: mov eax,0x0
0x0804840d <main+14>: add eax,0xf
0x08048410 <main+17>: add eax,0xf
0x08048413 <main+20>: shr eax,0x4
0x08048416 <main+23>: shl eax,0x4
0x08048419 <main+26>: sub esp,eax
0x0804841b <main+28>: mov DWORD PTR [ebp-0x8],0x80483eb
0x08048422 <main+35>: mov eax,DWORD PTR [ebp-0x8]
0x08048425 <main+38>: mov DWORD PTR [esp+0x4],eax
0x08048429 <main+42>: mov DWORD PTR [esp],0x8048525
0x08048430 <main+49>: call 0x80482ec <printf@plt>
0x08048435 <main+54>: mov eax,DWORD PTR [ebp-0x8]
0x08048438 <main+57>: mov DWORD PTR [esp],eax
0x0804843b <main+60>: call 0x80483b2 <ciao>
0x08048440 <main+65>: leave
0x08048441 <main+66>: ret
End of assembler dump.
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0xbffadcd8 0x08048440 0x080483eb
0xbffadcb4: 0x080483eb 0xbffadcd8 0x08048479 0xb809ff50
0xbffadcc4: 0x08048300 0x0804846b 0xb807cff4 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.
Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13
13 }
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0x080483eb 0x080483eb 0xbffadcd8
0xbffadcb4: 0x08048479 0xb809ff50 0x08048300 0x0804846b
0xbffadcc4: 0xb807cff4 0x080483eb 0x08048300 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffadcda in ?? ()
(gdb)
In grassetto vedete l'eip... sia nel disassembler che nello stack. con il memcpy vedete che lo sovrascrivo... ma allora, perchè dà il segmentation fault nell'indirizzo 0xbffadcda??? che tra l'altro manco c'è nello stack?
non riesco a capire dove sbaglio... potete aiutarmi?