stackoom
  简体   繁体   中英

C buffer overflow getting Segmentation Fault

 原文  2019-10-20 13:07:13       c/ pointers/ segmentation-fault/ buffer-overflow

Question

I am trying to do a buffer-overflow for my security class, we are not allowed to call any function and we need to jump to secret function and also return 0 without segmentation fault. I wrote the code below and successfully jumped to secret but I am getting a segmentation fault. How can I terminate the program successfully? Or is it possible to just write to a single address instead of for loop, when I tried it did not change anything.

#include <stdio.h>

void secret()
{
    printf("now inside secret()!\n");
}

void entrance()
{
    int doNotTouch[10];
    // can only modify this section BEGIN
    // cant call secret(), maybe use secret (pointer to function)
    for (int i = 0; i < 14; i++) {
        *(doNotTouch + i) = (int) &secret;
    }
    // can only modify this section END
    printf("now inside entrance()!\n");
}

int main (int argc, char *argv[])
{
    entrance();
    return 0;
}

1 answers

solution1
 1  2019-10-20 13:23:10

In some semi-assembler, assuming some kind of x86. (BP is pseudocode for EBP or RBP, assuming you're not actually compiling for 16-bit mode. 32-bit mode is likely so int is the same width as a return address.) 

; entrance:
; - stack has return address to main
push  bp                         ; decrement SP by a pointer width
mov   bp,sp
sub   sp, 10*sizeof(int)         ; reserve space for an array
;....
; doNotTouch[0] is probably at [bp - 10*sizeof(int)]

When you loop to 14, you first overwrite the saved bp at i==10 and then the return address to main (which is correct) and then overwrite some more which eventually causes the seg fault. So you only need to do *(doNotTouch + 11) = (int) &secret; - assuming int is the size of a function pointer. (Or a bit more if the compiler left a gap for stack-alignment or its own use. In a debug build other locals will have stack slots. Overwriting them could lead to an infinite loop that goes out of bounds.)

Then follows your printf and then the function returns, but it does not return to main but "jumps" to secret .

When secret returns, it is actually now the return from main but it couldn't do the return 0;

So secret should be:

int secret()
{
    printf("now inside secret()!\n");
    return 0;
}

Disclaimer: "....I think."

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Segmentation fault with fscanf in C : buffer overflow? segmentation fault on buffer overflow Getting segmentation fault in C Not getting Segmentation Fault in C C, Getting segmentation fault c getting Segmentation fault C overflow function.. segmentation fault Why no segmentation fault when strcpy() causes an buffer overflow? What is that address you see in a buffer overflow segmentation fault? Prevent segmentation fault in buffer overflow demonstration in Ubuntu 12
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM