Search code examples
cheap-corruption

Simple heap overflow to a C program

I'm doing a simple heap overflow example, when I compiled the code I use the flags -m32, -no-pie, -fno-stack-protector, and -z execstack. I can make the program crash if I just send a string directly from the terminal. For example "AAAAAAA....AAA", but when I try to use python2 the program don't crash even though I use a really big number of A's.

Example:

./exe 'python2 -c"print 'A'*100"'

C code:

#include<stdio.h>
#include<string.h>
#include<stdlib.h>

#define BUFFER_SIZE 32

int main(int argc, char** argv)
{
    char *a = malloc(BUFFER_SIZE);
    char *b = malloc(BUFFER_SIZE);
    
    strcpy(a, argv[1]);
    
    free(a);
    free(b);
    return 0;
}

I try the following commands:

./simple 'python2 -c"print A*100"'
./simple python2 -c"print A*100"
./simple 'python2 -c"print 'A'*100"'
./simple python2 -c"print 'A'*100"
./simple python2 -c"print('A'*100)"

This is in a virtual machine with Ubuntu 22.04.4 LTS and python 2.7.18

I can produce the overflow by either manually typing a lot of A's or creating a python script.

I apologize for any uncertainty, this is my 1st question

I try to send the python2 command in different forms I also try to use a payload directly, something like ./simple < payload. but this always crashes the program regardless of how many A's are in the payload

Solution 
  • ./simple 'python2 -c"print A*100"'

    Runs your program with argv[1] set to the string python2 -c"print A*100".

    You can and should test what is really happening in your program any time it surprises you, by one or more of:

    • Adding print statements so your program can confirm its internal state is what you expected, such as

       printf("argc=%d, argv[1]=%s\n", argc, argv[1]);

    • Debugging it in gdb or whatever other debugger you have available. If you don't know how to use it, this is the time to learn. If you didn't even know it existed, then wherever you're learning C is terrible.

    Everybody has bugs. Everybody learns to debug their code. It is normal and expected that you'll make some effort to understand what your program is actually doing (and here I include the shell pipeline that is your actual problem: that's code too).

    ./simple < payload

    is just completely wrong. Input redirection changes what stdin is connected to, it doesn't affect argv at all. Read the documentation for your shell to find out what other syntax exists that might be helpful.