砸栈

Question

So I'm working on an assignment for a security class and the assignment is to use a stack overflow to call the function oopsDidISmashTheStack that is never used it the program.

#include <stdio.h>
#include <stdlib.h>

int oopsDidISmashTheStack(void)
{
    printf("Yup, smashing the stack is fun!\n");
    exit(0);
}

int getUserInput (void)
{
    char buf[12];
    gets(buf);
    return(1);
}

int main(void)
{
    getUserInput ();
    printf("Overflow failed, normal return\n");
    return(1);
}

I understand the concept of that after the buf variable is the sfp and then the return address what I can't figure out is the input that would change the return value to the address 0x080484fc which is where the function is located. I thought that it would require 12 characters to fill the buffer and then I was under the impression that sfp and return where 4 bytes so I trying to fill sfp with another 4 random characters and then use \\xfc\\x84\\x04\\x08 to make the return address point to the function.

If anyone is familiar with how the stack memory works and could explain where I'm going wrong that would be great?

Answer 1

You're pretty much on the right track. I suggest you look at the stack and see if the return address is where you think it is. There might be something else in there. Also double check the endien-ness,

I assume this is your input string?

"012345678901xxxx\\xfc\\x84\\x04\\x08"

What is the output of your program, generally if you're close but don't get it quite right the program crashes :)