P
Programmatore
Hi all, it's the first time I posto something here, i usually try to
solve my problems by myself, but this time i really don't know what's
wrong. I programmed in PHP, now i was trying to approach C and
exercise with the program flow. I made this program for
demonstrational purposes, it should auto-bof himself, when returning
from function "ciao", to execute the "a" function.
Hope you can help me, this is the source
---xploitable.c---
#include <stdio.h>
int btol(int i)
{
return((i&0xff)<<24)+((i&0xff00)<<8)+((i&0xff0000)>>8)+((i>>24)
&0xff);
}
int ciao (int b) {
printf("smashing...\n");
char sou[4] = "AAAA";
memcpy((int *) (&sou+1), &b,4); // SOU/EBP/EIP
}
int a() {
printf("secret");
}
int main ( int argc, char *argv[] ) {
char sara[4];
int b = &a;
printf("function 'a' is @ 0x%x\n", b);
ciao(b);
}
---xploitable.c---
and this the output debugged with gdb...
--gdb--
g0d@g0d-desktop:~/Projects/6.Note$ gcc-3.4 -o x xploitable.c -g
xploitable.c: In function `main':
xploitable.c:21: warning: initialization makes integer from pointer
without a cast
g0d@g0d-desktop:~/Projects/6.Note$ gdb ./x -q
(gdb) break 12
Breakpoint 1 at 0x80483cc: file xploitable.c, line 12.
(gdb) break 13
Breakpoint 2 at 0x80483e9: file xploitable.c, line 13.
(gdb) run
Starting program: /home/g0d/Projects/6.Note/x
function 'a' is @ 0x80483eb
smashing...
Breakpoint 1, ciao (b=134513643) at xploitable.c:12
12 memcpy((int *) (&sou+1), &b,40);
(gdb) disass main
Dump of assembler code for function main:
0x080483ff <main+0>: push ebp
0x08048400 <main+1>: mov ebp,esp
0x08048402 <main+3>: sub esp,0x18
0x08048405 <main+6>: and esp,0xfffffff0
0x08048408 <main+9>: mov eax,0x0
0x0804840d <main+14>: add eax,0xf
0x08048410 <main+17>: add eax,0xf
0x08048413 <main+20>: shr eax,0x4
0x08048416 <main+23>: shl eax,0x4
0x08048419 <main+26>: sub esp,eax
0x0804841b <main+28>: mov DWORD PTR [ebp-0x8],0x80483eb
0x08048422 <main+35>: mov eax,DWORD PTR [ebp-0x8]
0x08048425 <main+38>: mov DWORD PTR [esp+0x4],eax
0x08048429 <main+42>: mov DWORD PTR [esp],0x8048525
0x08048430 <main+49>: call 0x80482ec <printf@plt>
0x08048435 <main+54>: mov eax,DWORD PTR [ebp-0x8]
0x08048438 <main+57>: mov DWORD PTR [esp],eax
0x0804843b <main+60>: call 0x80483b2 <ciao>
0x08048440 <main+65>: leave
0x08048441 <main+66>: ret
End of assembler dump.
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0xbffadcd8 0x08048440 0x080483eb
0xbffadcb4: 0x080483eb 0xbffadcd8 0x08048479 0xb809ff50
0xbffadcc4: 0x08048300 0x0804846b 0xb807cff4 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.
Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13
13 }
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0x080483eb 0x080483eb 0xbffadcd8
0xbffadcb4: 0x08048479 0xb809ff50 0x08048300 0x0804846b
0xbffadcc4: 0xb807cff4 0x080483eb 0x08048300 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffadcda in ?? ()
(gdb)
--gdb--
as you can see, it goes in overflow with an EIP of 0xbffadcda. I don't
know where it gets this eip, if you look at the stack after the
function continues, it seems the the EIP ( 0x08048440 ) has been
overwritten well... But it doesn't work.
I use gcc 3.4 cuz 4.1 has SSP protection. Ubuntu on 32bit, as you can
see.
Thanks in advance, pater.
solve my problems by myself, but this time i really don't know what's
wrong. I programmed in PHP, now i was trying to approach C and
exercise with the program flow. I made this program for
demonstrational purposes, it should auto-bof himself, when returning
from function "ciao", to execute the "a" function.
Hope you can help me, this is the source
---xploitable.c---
#include <stdio.h>
int btol(int i)
{
return((i&0xff)<<24)+((i&0xff00)<<8)+((i&0xff0000)>>8)+((i>>24)
&0xff);
}
int ciao (int b) {
printf("smashing...\n");
char sou[4] = "AAAA";
memcpy((int *) (&sou+1), &b,4); // SOU/EBP/EIP
}
int a() {
printf("secret");
}
int main ( int argc, char *argv[] ) {
char sara[4];
int b = &a;
printf("function 'a' is @ 0x%x\n", b);
ciao(b);
}
---xploitable.c---
and this the output debugged with gdb...
--gdb--
g0d@g0d-desktop:~/Projects/6.Note$ gcc-3.4 -o x xploitable.c -g
xploitable.c: In function `main':
xploitable.c:21: warning: initialization makes integer from pointer
without a cast
g0d@g0d-desktop:~/Projects/6.Note$ gdb ./x -q
(gdb) break 12
Breakpoint 1 at 0x80483cc: file xploitable.c, line 12.
(gdb) break 13
Breakpoint 2 at 0x80483e9: file xploitable.c, line 13.
(gdb) run
Starting program: /home/g0d/Projects/6.Note/x
function 'a' is @ 0x80483eb
smashing...
Breakpoint 1, ciao (b=134513643) at xploitable.c:12
12 memcpy((int *) (&sou+1), &b,40);
(gdb) disass main
Dump of assembler code for function main:
0x080483ff <main+0>: push ebp
0x08048400 <main+1>: mov ebp,esp
0x08048402 <main+3>: sub esp,0x18
0x08048405 <main+6>: and esp,0xfffffff0
0x08048408 <main+9>: mov eax,0x0
0x0804840d <main+14>: add eax,0xf
0x08048410 <main+17>: add eax,0xf
0x08048413 <main+20>: shr eax,0x4
0x08048416 <main+23>: shl eax,0x4
0x08048419 <main+26>: sub esp,eax
0x0804841b <main+28>: mov DWORD PTR [ebp-0x8],0x80483eb
0x08048422 <main+35>: mov eax,DWORD PTR [ebp-0x8]
0x08048425 <main+38>: mov DWORD PTR [esp+0x4],eax
0x08048429 <main+42>: mov DWORD PTR [esp],0x8048525
0x08048430 <main+49>: call 0x80482ec <printf@plt>
0x08048435 <main+54>: mov eax,DWORD PTR [ebp-0x8]
0x08048438 <main+57>: mov DWORD PTR [esp],eax
0x0804843b <main+60>: call 0x80483b2 <ciao>
0x08048440 <main+65>: leave
0x08048441 <main+66>: ret
End of assembler dump.
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0xbffadcd8 0x08048440 0x080483eb
0xbffadcb4: 0x080483eb 0xbffadcd8 0x08048479 0xb809ff50
0xbffadcc4: 0x08048300 0x0804846b 0xb807cff4 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.
Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13
13 }
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0x080483eb 0x080483eb 0xbffadcd8
0xbffadcb4: 0x08048479 0xb809ff50 0x08048300 0x0804846b
0xbffadcc4: 0xb807cff4 0x080483eb 0x08048300 0x080483eb
0xbffadcd4: 0x08048300 0xbffadd38 0xb7f39685 0x00000001
0xbffadce4: 0xbffadd64 0xbffadd6c 0xb8091b38 0x00000001
0xbffadcf4: 0x00000001 0x00000000 0x0804820b 0xb807cff4
0xbffadd04: 0x08048460 0x08048300 0xbffadd38 0x2399c16a
0xbffadd14: 0x310c957a 0x00000000 0x00000000 0x00000000
0xbffadd24: 0xb80a5090 0xb7f395ad 0xb80adff4 0x00000001
0xbffadd34: 0x08048300 0x00000000 0x08048321 0x080483ff
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffadcda in ?? ()
(gdb)
--gdb--
as you can see, it goes in overflow with an EIP of 0xbffadcda. I don't
know where it gets this eip, if you look at the stack after the
function continues, it seems the the EIP ( 0x08048440 ) has been
overwritten well... But it doesn't work.
I use gcc 3.4 cuz 4.1 has SSP protection. Ubuntu on 32bit, as you can
see.
Thanks in advance, pater.
the only thing is