tags:

views:

451

answers:

5
+16  Q: 

C - how can I invoke buffer overflow [hw problem, not hacking]?

Hi!

I got a hw assignment asking me to invoke a function without explicitly calling it, using buffer overflow. The code is basically this:

#include <stdio.h>
#include <stdlib.h>

void g()
{
    printf("now inside g()!\n");
}


void f()
{   
    printf("now inside f()!\n");
    // can only modify this section
    // cant call g(), maybe use g (pointer to function)
}

int main (int argc, char *argv[])
{
    f();
    return 0;
}

Though I'm not sure how to proceed. I thought about changing the return address for the program counter so that it'll proceed directly to the address of g(), but I'm not sure how to access it. Anyway, tips will be great. thanks.

+2  A: 

Try this one:

void f()
{   
    void *x[1];
    printf("now inside f()!\n");
    // can only modify this section
    // cant call g(), maybe use g (pointer to function)
    x[-1]=&g;
}

or this one:

void f()
{   
    void *x[1];
    printf("now inside f()!\n");
    // can only modify this section
    // cant call g(), maybe use g (pointer to function)
    x[1]=&g;
}
ammoQ  2010-02-25 12:30:12
An explanation would be great, because it is homework.
Georg  2010-02-25 12:37:16
x is a local variable, so it located on the stack. Since x is an array of size 1, only x[0] is valid. By writing the address of g in x[-1] or x[1], there is a chance that we will overwrite the return address. It depends of the organisation of the stack which version works.
ammoQ  2010-02-25 16:09:24
+7  A: 

That is compiler dependent, so no single answer can be given.

The following code will do what you want for gcc 4.4.1. Compile with optimizations disabled (important!)

#include <stdio.h>
#include <stdlib.h>

void g()
{
    printf("now inside g()!\n");
}


void f()
{   
  int i;
  void * buffer[1];
  printf("now inside f()!\n");

  // can only modify this section
  // cant call g(), maybe use g (pointer to function)

  // place the address of g all over the stack:
  for (i=0; i<10; i++)
     buffer[i] = (void*) g;

  // and goodbye..
}

int main (int argc, char *argv[])
{
    f();
    return 0;
}

Output:

nils@doofnase:~$ gcc overflow.c
nils@doofnase:~$ ./a.out
now inside f()!
now inside g()!
now inside g()!
now inside g()!
now inside g()!
now inside g()!
now inside g()!
Segmentation fault
Nils Pipenbrinck  2010-02-25 12:39:06
I'm using gcc 4.4.1, and not sure how to turn optimization off: tried gcc -O0 -o buff buff.c (that's oh-zero) and alsogcc -O1 -fno-defer-pop -fno-thread-jumps -fno-branch-probabilities -fno-cprop-registers -fno-guess-branch-probability -fno-omit-frame-pointer -o buff buff.cneither worked.
sa125  2010-02-25 13:00:17
Make the application exit inside the 'g()' function to avoid Segmentation fault =)
Kieveli  2010-02-25 13:00:22
sa125, maybe gcc tries to optimize to a different cpu architecture. As far as I know it defaults to the cpu of the system you're running. That can change how the stackframe of f() looks like and may prevent the overflow from happening.
Nils Pipenbrinck  2010-02-25 13:06:48
Dan  2010-02-26 14:48:21
Dan, f() gets called from main, During the call the compiler will put the return address onto the stack, so f() knows where it has to jump to when it's done. However, inside f() I overwrite a large portion of the stack with the address of g(). Chances are that I override the return address as well. So when f() exits, it will not return to main but jump to g() instead.It's really dirty, but that's what the question was about.
Nils Pipenbrinck  2010-02-26 15:05:38
Dan  2010-02-26 16:54:00
+11  A: 

The basic idea is to alter the function's return address so that when the function returns is continues to execute at a new hacked address. As done by Nils in one of the answers, you can declare a piece of memory (usually array) and overflow it in such a way that the return address is overwritten as well.

I would suggest you to not blindly take any of the programs given here without actually understanding how they work. This article is very well written and you'll find it very useful:

A step-by-step on the buffer overflow vulnerablity

codaddict  2010-02-25 12:53:11
+4  A: 

Since this is homework, I would like to echo codeaddict's suggestion of understanding how a buffer overflow actually works.

I learned the technique by reading the excellent (if a bit dated) article/tutorial on exploiting buffer overflow vulnerabilities Smashing The Stack For Fun And Profit.

jschmier  2010-02-25 15:07:31
+1 for linking to that article.
Andreas Grech  2010-02-25 15:13:54
+2  A: 
jschmier  2010-06-18 20:42:35

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS