1

I'm a student trying to solve an exercise for my cybersecurity course. It's the first time I get in contact with buffer overflows, gdb and so on, so not a lot of experience here. I was given a simple elf file which checks username and password. The username is already given.

This is what the disassembled main function looks like:

       0x0000000000401276 <+0>:     endbr64
       0x000000000040127a <+4>:     push   %rbp
       0x000000000040127b <+5>:     mov    %rsp,%rbp
       0x000000000040127e <+8>:     push   %rbx
       0x000000000040127f <+9>:     sub    $0x98,%rsp
       0x0000000000401286 <+16>:    movl   $0x0,-0x14(%rbp)
       0x000000000040128d <+23>:    lea    0xd74(%rip),%rax        # 0x402008
       0x0000000000401294 <+30>:    mov    %rax,%rsi
       0x0000000000401297 <+33>:    lea    0x2e22(%rip),%rax        # 0x4040c0 <_ZSt4cout@GLIBCXX_3.4>
       0x000000000040129e <+40>:    mov    %rax,%rdi
       0x00000000004012a1 <+43>:    call   0x401120 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
       0x00000000004012a6 <+48>:    lea    -0x60(%rbp),%rax
       0x00000000004012aa <+52>:    mov    %rax,%rsi
       0x00000000004012ad <+55>:    lea    0x2f2c(%rip),%rax        # 0x4041e0 <_ZSt3cin@GLIBCXX_3.4>
       0x00000000004012b4 <+62>:    mov    %rax,%rdi
       0x00000000004012b7 <+65>:    call   0x40151f <_ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_PS3_>
       0x00000000004012bc <+70>:    lea    0xd54(%rip),%rax        # 0x402017
       0x00000000004012c3 <+77>:    mov    %rax,%rsi
       0x00000000004012c6 <+80>:    lea    0x2df3(%rip),%rax        # 0x4040c0 <_ZSt4cout@GLIBCXX_3.4>
       0x00000000004012cd <+87>:    mov    %rax,%rdi
       0x00000000004012d0 <+90>:    call   0x401120 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
       0x00000000004012d5 <+95>:    lea    -0x70(%rbp),%rax
       0x00000000004012d9 <+99>:    mov    %rax,%rsi
       0x00000000004012dc <+102>:   lea    0x2efd(%rip),%rax        # 0x4041e0 <_ZSt3cin@GLIBCXX_3.4>
       0x00000000004012e3 <+109>:   mov    %rax,%rdi
       0x00000000004012e6 <+112>:   call   0x40151f <_ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_PS3_>
       0x00000000004012eb <+117>:   lea    -0x60(%rbp),%rax
       0x00000000004012ef <+121>:   lea    0xd2c(%rip),%rdx        # 0x402022
       0x00000000004012f6 <+128>:   mov    %rdx,%rsi
       0x00000000004012f9 <+131>:   mov    %rax,%rdi
       0x00000000004012fc <+134>:   call   0x401140 <strcmp@plt>
       0x0000000000401301 <+139>:   test   %eax,%eax
       0x0000000000401303 <+141>:   jne    0x401326 <main+176>
       0x0000000000401305 <+143>:   lea    -0x70(%rbp),%rax
       0x0000000000401309 <+147>:   lea    0xd18(%rip),%rdx        # 0x402028
       0x0000000000401310 <+154>:   mov    %rdx,%rsi
       0x0000000000401313 <+157>:   mov    %rax,%rdi
       0x0000000000401316 <+160>:   call   0x401140 <strcmp@plt>
       0x000000000040131b <+165>:   test   %eax,%eax
       0x000000000040131d <+167>:   jne    0x401326 <main+176>
       0x000000000040131f <+169>:   movl   $0x1,-0x14(%rbp)
       0x0000000000401326 <+176>:   cmpl   $0x0,-0x14(%rbp)
       0x000000000040132a <+180>:   jle    0x40146c <main+502>
       0x0000000000401330 <+186>:   movb   $0x48,-0xa0(%rbp)
       0x0000000000401337 <+193>:   movb   $0x27,-0x9f(%rbp)
       0x000000000040133e <+200>:   movb   $0xd4,-0x9e(%rbp)
       0x0000000000401345 <+207>:   movb   $0x25,-0x9d(%rbp)
       0x000000000040134c <+214>:   movb   $0xbc,-0x9c(%rbp)
       0x0000000000401353 <+221>:   movb   $0x1f,-0x9b(%rbp)

My idea was to:

  1. disassemble main
  2. set break point to the function where the user is prompted for the password
  3. fill the Stack with As so I can see where the buffer ends etc

I got quickly stuck at step 3 because after running run $(python -c "print('A'*256)"), I can't see the 041s in the Stack. I'm checking the Stack with x/200xb $rsp.

0x7fffffffde40: 0xff    0x11    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde48: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde50: 0x20    0xe0    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffde58: 0x00    0xda    0x49    0x21    0x0f    0x19    0x52    0xcc
0x7fffffffde60: 0x90    0xde    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffde68: 0xc0    0xea    0xcf    0xf7    0xff    0x7f    0x00    0x00
0x7fffffffde70: 0xff    0x11    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde78: 0x98    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x7fffffffde80: 0x49    0x54    0x53    0x00    0xff    0x7f    0x00    0x00
0x7fffffffde88: 0x98    0x53    0xfa    0xf7    0xff    0x7f    0x00    0x00
0x7fffffffde90: 0xd0    0xde    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffde98: 0xe2    0x87    0xba    0xf7    0xff    0x7f    0x00    0x00
0x7fffffffdea0: 0xc8    0x2e    0xfb    0xf7    0xff    0x7f    0x00    0x00
0x7fffffffdea8: 0x40    0x53    0xfa    0xf7    0xff    0x7f    0x00    0x00
0x7fffffffdeb0: 0x67    0x6c    0x69    0x62    0x63    0x78    0x78    0x2e
0x7fffffffdeb8: 0x00    0x20    0x01    0x00    0x00    0x00    0x00    0x00
0x7fffffffdec0: 0x67    0x6c    0x69    0x62    0x63    0x78    0x78    0x2e
0x7fffffffdec8: 0x2e    0x65    0x68    0x5f    0x00    0x00    0x00    0x00
0x7fffffffded0: 0xa0    0xdf    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffded8: 0x08    0xe0    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffdee0: 0x80    0xdf    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffdee8: 0xca    0x51    0xb2    0xf7    0xff    0x7f    0x00    0x00
0x7fffffffdef0: 0x08    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffdef8: 0x08    0xe0    0xff    0xff    0xff    0x7f    0x00    0x00
0x7fffffffdf00: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00

I've tried setting the breakpoint at each one of the called functions and filling the stack, but without success.

My (not very educated) guesses are:

  1. Maybe I in fact did not understand how the program works and the buffer actually starts somewhere completely different
  2. run $(python -c ..etc does not work because it's not a c program

I'd appreciate any input on how to approach this differently :-)

Improve this question
4
  • 1
    It's better to put text output in the question directly in a code block, and not into a linked image. Aside from that, the breakpoint location where you inspect the stack is before the function is called, not after. Is that intentional? Commented Jun 1, 2024 at 18:05
  • @ssbssa thanks for your input! I edited the post and embedded the code. In the live demo my professor always used the address of the function being called, which is why I tried setting a breakpoint to the addresses of the functions. I just tried setting them to the address directly after the function after reading your comment, but it didn't help. Did I understand it the way you meant it? Commented Jun 2, 2024 at 7:25
  • You run the program with argument $(python -c "print('A'*256)"), this puts the 'AAAA...' into argv[1]. But the program doesn't use this, instead it asks for username and password in the console. That's where you have to input the many 'A's. Commented Jun 2, 2024 at 10:38
  • @ssbssa thanks again for the input, that was exactly my mistake. I just filled the username input with As instead and now I can move forward. Thanks! Commented Jun 2, 2024 at 16:15
Related questions
6
Tracing call stack in disassembled code
477
How do I print the full value of a long string in gdb?
250
How do I print the elements of a C++ vector in GDB?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.