I need to execute a call to cat on a target file using a buffer overflow in a challenge app (can't execute on the stack, but can use libc). For reference, in C this is valid code for what I'm trying to do:
int main(void) {
char * const argv[] = {"cat", "/etc/target/file"};
char * const envp[] = {NULL};;
execve("/bin/cat", argv, envp);
}
I can load some null-terminated strings up on the target and I've also determined the address of execve. Here's the info I have:
"/bin/cat" @ 0xbfffffb9:
"cat" @ 0xbfffffbe
"/etc/target/file" @ 0xbffff96f
execve @ 0x804831c
I can overwrite the EIP and following bytes with a string like:
"AAAA....AAA" + EIP + [RETURN ADDR] + ARG1 + ARG2 ....
In the string above I can replace EIP with the address of execve and jump to the function, but that's where things go sour for me. I've never set up a stack for arrays and couldn't find a google example of using arrays in a classic buffer overflow.
How can I set up the stack with array parameters for my function call? What does my stack need to look like in this case?
Assuming x86 and cdecl, you will have to push the arguments on the stack. As for what value to pass, you'll have to pass pointers to your arrays. The string layout above will stay the same.
Side note: In your string layout, it's not EIP but the saved EBP value from the previous frame.