I have an assignment from school (I will not ask any question that will give me the answer to the assignment)
We have been given the following code in c:
#include <stdio.h>
#include <stdlib.h>
int main( int argc, char **argv ) {
char * stuff = 0;
int len = 0;
vulnerable();
return 0;
}
int vulnerable( void ) {
char buf[100];
printf("Please enter your hacker name: ");
fflush(stdout);
gets(buf);
printf("\"%s\"\n can hack this?" , buf );
}
void notcalled( void ) {
char *secret = "Iouf jmmb, cbsb sftufo lwbs!";
int i;
printf("The Secret string is: ");
for( i = 0 ; secret[i] ; i++ )
if( secret[i] >= 'a' && secret[i] <= 'z' )
printf("%c" , secret[i] -1 );
else
printf("%c" , secret[i] );
printf("\n");
}
I have compiled the program using the command:
gcc -fno-stack-protector -z execstack -o oflow oflow.c
I want to know if I am "right on track".
The first thing I did was to find the function "notcalled()" address, after that I have been looking at the stack while running gdb and trying to figure out where to put this address.
I have also been using following perl script to overflow the program:
perl -e 'print "A"x312 ."\xb0\x85\x04\x08"' | ./oflow
(note that the value 312 is just an example)
My question is: How can I find out where to place the address in the stack and how to calculate how many bytes I have to fill to overflow. (I don't want the answer, I want hints and tips to solve my problem)
Thanks in advance!
To give an exact answer you would really need to provide the disassembly of the vulnerable method since it's going to vary depending upon the hardware you're running on.
A function call typically consists of something like this:
1 Push arguments on to the stack.
2 Call method.
3 Clean up the stack.
The call operation is essentially the combination of two instructions:
2.1 Push the address of line 3 onto the stack.
2.2 Jump to the address of the method being called.
The method being called typically consists of something like this:
4 Create a stack frame for the method (something like below)
push bp
mov sp, bp
5 Create space for local variables on the stack
sub 0x64, sp
6 Do stuff....
7 Clean up the stack frame.
mov bp, sp
pop bp
8 Return from the method.
ret
Figuring out where to put the address on the stack
The ret instruction pops the address pushed when the method was called, into the instruction pointer. The goal is to change this address so that instead of pointer pushed at line 3 it is pointing at your notcalled method. So, you need to get the address onto the stack just past outside the methods stack frame.
Figuring out how to trigger the overflow
As you probably already know, the vulnerable part of the method call is it's call to gets. This takes input from stdin and keeps collecting input until it gets to an end of line. Since it doesn't take in a buffer size, this means that it is possible to pass more characters to gets than the buffer it is pointing at can hold hence you can trigger a buffer overflow.
Figuring out how many bytes are needed to overflow
As I've said above, you trigger the overflow by over filling the buffer. So, the size of the input is going to be some function of (buffer size) + (possibly any other local variables) + (the stack frame). You can either work this out by looking at the disassembly, or do it through a little bit of trial and error to see how you are filling the buffer and overflowing it through the stack.