1

I have an exercise that asks of me to produce a seg.fault. In my understanding i can do that by overflowing the buffer. So all i need to do is provide an input(Name) bigger than a certain size(covering the return address). So if buf,i and c hold 52 Bytes and ebp 4,then the return address should be after 56 bytes. So if i give an input bigger than 56, it should produce a seg.fault. Is my thinking correct ? I tried with those numbers but it still runs and exit correctly.(UNIX-32bit)

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

#define BUFSIZE 44

char grade = '3';
char Name[BUFSIZE];

void readString(char *s) {
   char buf[BUFSIZE];
   int i = 0;
   int c;

   while (1) {
      c = fgetc(stdin);
      if ((c == EOF) || (c == '\n'))
         break;
      buf[i++] = c;
   }
   buf[i] = 0;

   for (i = 0; i < BUFSIZE; i++)
      s[i] = buf[i];

   return;
}

int main(void) {
   mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
            PROT_READ | PROT_WRITE | PROT_EXEC);

   printf("What is your name?\n");
   readString(Name);

   exit(0)
}
Improve this question
1
  • Alternate segfault: int ohno = *((int*)NULL); printf("%d", ohno); Commented May 17, 2017 at 1:36

2 Answers 2

Reset to default
1

This bit of code is protecting you from a segfault.

for (i = 0; i < BUFSIZE; i++)
      s[i] = buf[i];

You may run off of the end of the buf array but that is on the stack.

Why not just this?

*(int*)(0x00000000) = 0;
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The exercise is called Buffer Overrun Attack so i must assume that they want me to do it that way. Anyway if you write on the stack on the return address (EIP) , shouldn't that produce one if the return address is somewhere else ?
scratch that, i did it by making i too big.
0

in my opinion,the stack was word aligned,if your buf[BUFSIZE],it will have a hole with the local i and c variable.it's disassembly code like this:

  4005d4:   55                      push   %rbp
  4005d5:   48 89 e5                mov    %rsp,%rbp
  4005d8:   48 83 ec 50             sub    $0x50,%rsp
  4005dc:   48 89 7d b8             mov    %rdi,-0x48(%rbp)
  4005e0:   c7 45 f8 00 00 00 00    movl   $0x0,-0x8(%rbp)

it's stack create 90 bytes,so u want to change rbp must input a lot. so if u want change the other value like rbp,u must input more than 64. unfortunately,it may didn't work,because when u go through the i location,your input value will change the i value,so the buff[i++] may not the position u want.so the best way to change rpb is just jump through the stack which subed in the first.

Improve this answer

2 Comments

the i value will not changed,because the gcc use register store i value,unless u add volatile before i variable。
if u just want crash,just call abort

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.