1

I'm experimenting with Buffer overflow basics, I'm trying to call the shell function without modifying the code. So far I've managed to call it but I can't find a way to give it the right parameter (which is exec_string)

Here is the code :

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

/*
* compiled with:
* gcc -O0 -fno-stack-protector lab2B.c -o lab2B -m32
*/

char* exec_string = "/bin/sh";

void shell(char* cmd)
{
    system(cmd);
}

void print_name(char* input)
{
    char buf[15];
    strcpy(buf, input);
    printf("Hello %s\n", buf);
}

int main(int argc, char** argv)
{
    if(argc != 2)
    {
        printf("usage:\n%s string\n", argv[0]);
        return EXIT_FAILURE;
    }

    print_name(argv[1]);

    return EXIT_SUCCESS;
}

I run it with./lab2B $(python -c 'print "A"*27 + "\x8D\x55\x55\x56"') which seems to enable me to get into shell, according to gdb.

Thanks in advance for your help

user162119
  • 21
  • 1
  • 1
  • 4
  • 2
    "without modifying the code" - what does that mean? "I've managed to call it" call what? How was it successful? "give it the right parameter" but you showed how to do that in your last line, right? – schroeder Oct 24 '17 at 15:39
  • What does the `\x8D\x55\x55\x56` string reference? Is this an address that points to a `JMP ESP` command? – DKNUCKLES Oct 24 '17 at 15:52
  • This string references to the address of the shell function. The last line enables to jump to shell, but not to pass it the right argument (which is exec_string). I've tried a lot of inputs but it seems like I'm missing something about how parameters are passed to a function through the stack. Edit: to be more precise, we jump to shell by overflowing the call to strcpy, which overwrites the saved value of the return adress in the print_name function. The issue now is knowing where to put the adress of exec_string in order to get the exploit fully working – user162119 Oct 24 '17 at 17:29
  • 1
    @user162119 You need to find where `exec_string` is in the stack, and call that after the return address. You will likely want some nops in-between, though. – Mark Buffalo Oct 24 '17 at 19:09

1 Answers1

2

When you overwrite the return address with the address of your shell function, try to think of this as a call instruction for shell.

As shown below, when a function is called a stack frame is formed and the parameters for it are pushed onto the stack, followed by the return address(EIP) of your previous function along with your Stack Pointers(ebp, esp). with you Stack Pointer being on top of the frame.

enter image description here

Essentially, after you overwrite the return pointer with "\x8D\x55\x55\x56" you are going to need to add on another address, being return pointer for the new function, as well as the address of your exec_string pointer, that being a parameter for your new function.

To understand how to exploit this I would recommend learning more about Return Oriented Programming, this is a good source for understanding that as well as how the stack looks when a function is called.

Community
  • 1
danx
  • 21
  • 2