performing simple buffer overflow on Mac os 10.6

Question

I'm trying to learn about stack base overflow and write a simple code to exploit stack. But somehow it doesn't work at all but showing only Abort trap on my machine (mac os leopard)

I guess Mac os treats overflow differently, it won't allow me to overwrite memory through c code. for example,

strcpy(buffer, input) // lets say char buffer[6] but input is 7 bytes 

on Linux machine, this code successfully overwrite next stack, but prevented on mac os (Abort trap)

Anyone know how to perform a simple stack-base overflow on mac machine?

Answer 1

Stack overflow?

The term stack overflow refers to the situation when the stack size attempts to grow beyond the maximum limit allowed by the current platform and/or configuration. What you are trying to do has no relation to stack overflow at all. If you want to see stack overflow, write an infinitely recursive function, execute it and just wait till it overflows:

void foo() {
  foo();
}

(Hoping that the compiler will not optimize the tail recursion into a cycle. If it does, make it a bit more complicated, non-tail recursive.)

What you seem to be trying to do is to reproduce the infamous buffer overflow exploit. While the buffer in question is supposed to be allocated in the stack, the exploit has never been referred to as "stack overflow". In order to actually demonstrate the exploit, it is not sufficient to just overrun the bounds of some buffer. The whole point is to plant a pre-determined value in the area of the stack originally occupied by the stored return address, so that when the function finishes, it "returns" to some other (presumably malicious) code instead of the original calling code.

So, what is it you are trying to do? Stack overflow? Or buffer overflow?

Answer 2

Hi try this:

#include <stdio.h>
int main(int argc, char **argv) {
    char buffer[4];
    puts("Hello");
    gets(buffer);
    return 0;)
}

and call it as:

printf "0123456789abcdefghij\260\037" | ./a.out

\260\037 is the address of main(0x1fb0 here) in octal and in little endian order.

You should see hello print two times before a bus error. The trick is to use a debugger(even gdb will do) to know both where you want to end up and where is the return address. It won't be the same as in Linux!

MacOS X for i386(most OSes for i386 in fact including Linux and Windows) and especially <=Leopard are not the most secure OS.

EDIT: just realized I was using clang as the compiler. So you will need to adapt it to gcc but I can tell you it works with little change :p.

Answer 3

Your compiler on Mac OS has compiled in a stack canary which gives you the abort trap. Search in your compiler manual on how to disable it.

With GCC this option is -fno-stack-protector.

On a separate note, overflow with 1 byte will surely not be enough to trigger anything but a compiler stack check. Use something like 12 bytes :)