Stack Resident Buffer Overflow on 64-Bit

Stack resident buffer overflow on 64-bit?

Those two instructions are doing exactly what you expect them to do. You have overwritten the previous stack frame with 0x41's so when you hit the leaveq, you are doing this:

mov rsp, rbp
pop rpb

Now rsp points to where rbp did before. However, you have overwritten that region of memory, so when you do the pop rbp, the hardware is essentially doing this

mov rbp, [rsp]
add rsp,1

But [rsp] now has 0x41's. So this is why you're seeing rbp get filled with that value.

As for why rip isn't getting set like you expect, it's because ret is setting the rip to 0x41 and then generating an exception (page fault) on the instruction fetch. I wouldn't rely on GDB to show the right thing in this case. You should try overwriting the return value with a valid address within the program's text segment and you likely won't see this weird behavior.

Buffer overflow successful, but it shouldn't be?

C string are NUL terminated, so you end up with a 1-byte overflow with a value of zero (NUL).

The one-byte NUL overflow modifies the saved value of $ebp to point lower on the stack than it should. This results in restoring an incorrect value into $esp, and control of $eip.

Take specific note of the value of ebp. After the call, the value of $ebp is still the same, but the value it points to (the value which main will restore off the stack) has been adjusted, and points into the middle of our controlled buffer.

When greeting returns into main, nothing happens. However, when main restores the stack frame with a leave instruction, the stack pointer $esp is set into the middle of our controlled buffer. When the ret instruction is executed, we have control over $eip.

Note that I've used a cyclic pattern generated by pwntools rather than the standard AAAAA since we can use it to calculate offsets. For example 'aaaa' => 0, 'aaab' => 1, 'aaba' => 2.

Before Strcpy

EBP: 0xffffc6e8 --> 0xffffc6f8 --> 0x0 
ESP: 0xffffc54c --> 0xffffc558 --> 0xffffc5c8 --> 0xf63d4e2e 
EIP: 0x8048466 (<greeting+25>:  call   0x8048320 <strcpy@plt>)

After Strcpy

EBP: 0xffffc6e8 --> 0xffffc600 ("raabsaabtaabuaabvaabwaabxaabyaab"...)
ESP: 0xffffc54c --> 0xffffc558 ("aaaabaaacaaadaaaeaaafaaagaaahaaa"...)
EIP: 0x804846b (<greeting+30>:  lea    eax,[ebp-0x190])

Before leave in main

EBP: 0xffffc600 ("raabsaabtaabuaabvaabwaabxaabyaab"...)
ESP: 0xffffc6f0 --> 0xffffc9bb ("Mister")
EIP: 0x80484b1 (<main+39>:      leave)

After leave in main

EBP: 0x62616172 (b'raab')
ESP: 0xffffc604 ("saabtaabuaabvaabwaabxaabyaabzaac"...)
EIP: 0x80484b2 (<main+40>:      ret)

At ret in main

EBP: 0x62616172 (b'raab')
ESP: 0xffffc608 ("taabuaabvaabwaabxaabyaabzaacbaac"...)
EIP: 0x62616173 (b'saab')

Related Topics

How to Run Linux Docker Images on Windows Server 2016

Arm Linux Atags VS Device Tree

How Does Stat Command Calculate the Blocks of a File

Udev - Run Program on Usb Flash Drive Insert

How to Calculate the Total Size of Certain Files Only, Recursive, in Linux

Interrupting Epoll_Wait with a Non-Io Event, No Signals

How to Know Whether a Copy-On-Write Page Is an Actual Copy

How to Open a File in Assembler and Modify It

Packet Sniffing Using Raw Sockets in Linux in C

How to Replace Single Quotes with Another Character in Sed

What Is Kernel Section Mismatch

Error: Ld.So: Object 'Libgtk3-Nocsd.So.0' from Ld_Preload Cannot Be Preloaded

Shell Script Change Directory with Variable

How to Debug Mex Code with Eclipse

How to Delete Everything in a String After a Specific Character

Redirect Qemu Window Output to Terminal Running Qemu

Linux Shell Script - String Comparison with Wildcards

Shell Script Function Return a String


Leave a reply



Submit