Stack resident buffer overflow on 64-bit?
Those two instructions are doing exactly what you expect them to do. You have overwritten the previous stack frame with 0x41
's so when you hit the leaveq
, you are doing this:
mov rsp, rbp
pop rpb
Now rsp
points to where rbp
did before. However, you have overwritten that region of memory, so when you do the pop rbp
, the hardware is essentially doing this
mov rbp, [rsp]
add rsp,1
But [rsp]
now has 0x41
's. So this is why you're seeing rbp
get filled with that value.
As for why rip
isn't getting set like you expect, it's because ret
is setting the rip
to 0x41
and then generating an exception (page fault) on the instruction fetch. I wouldn't rely on GDB to show the right thing in this case. You should try overwriting the return value with a valid address within the program's text segment and you likely won't see this weird behavior.
Buffer overflow successful, but it shouldn't be?
C string are NUL
terminated, so you end up with a 1-byte overflow with a value of zero (NUL
).
The one-byte NUL
overflow modifies the saved value of $ebp
to point lower on the stack than it should. This results in restoring an incorrect value into $esp
, and control of $eip
.
Take specific note of the value of ebp
. After the call, the value of $ebp
is still the same, but the value it points to (the value which main
will restore off the stack) has been adjusted, and points into the middle of our controlled buffer.
When greeting
returns into main, nothing happens. However, when main
restores the stack frame with a leave
instruction, the stack pointer $esp
is set into the middle of our controlled buffer. When the ret
instruction is executed, we have control over $eip
.
Note that I've used a cyclic pattern generated by pwntools rather than the standard AAAAA
since we can use it to calculate offsets. For example 'aaaa' => 0, 'aaab' => 1, 'aaba' => 2.
Before Strcpy
EBP: 0xffffc6e8 --> 0xffffc6f8 --> 0x0
ESP: 0xffffc54c --> 0xffffc558 --> 0xffffc5c8 --> 0xf63d4e2e
EIP: 0x8048466 (<greeting+25>: call 0x8048320 <strcpy@plt>)
After Strcpy
EBP: 0xffffc6e8 --> 0xffffc600 ("raabsaabtaabuaabvaabwaabxaabyaab"...)
ESP: 0xffffc54c --> 0xffffc558 ("aaaabaaacaaadaaaeaaafaaagaaahaaa"...)
EIP: 0x804846b (<greeting+30>: lea eax,[ebp-0x190])
Before leave
in main
EBP: 0xffffc600 ("raabsaabtaabuaabvaabwaabxaabyaab"...)
ESP: 0xffffc6f0 --> 0xffffc9bb ("Mister")
EIP: 0x80484b1 (<main+39>: leave)
After leave
in main
EBP: 0x62616172 (b'raab')
ESP: 0xffffc604 ("saabtaabuaabvaabwaabxaabyaabzaac"...)
EIP: 0x80484b2 (<main+40>: ret)
At ret
in main
EBP: 0x62616172 (b'raab')
ESP: 0xffffc608 ("taabuaabvaabwaabxaabyaabzaacbaac"...)
EIP: 0x62616173 (b'saab')
Related Topics
How to Run Linux Docker Images on Windows Server 2016
Arm Linux Atags VS Device Tree
How Does Stat Command Calculate the Blocks of a File
Udev - Run Program on Usb Flash Drive Insert
How to Calculate the Total Size of Certain Files Only, Recursive, in Linux
Interrupting Epoll_Wait with a Non-Io Event, No Signals
How to Know Whether a Copy-On-Write Page Is an Actual Copy
How to Open a File in Assembler and Modify It
Packet Sniffing Using Raw Sockets in Linux in C
How to Replace Single Quotes with Another Character in Sed
What Is Kernel Section Mismatch
Error: Ld.So: Object 'Libgtk3-Nocsd.So.0' from Ld_Preload Cannot Be Preloaded
Shell Script Change Directory with Variable
How to Debug Mex Code with Eclipse
How to Delete Everything in a String After a Specific Character
Redirect Qemu Window Output to Terminal Running Qemu