Buffer Overflow: Redirecting Program Flow

[Karmic]

Hello all,

I have a problem that requires me to redirect program flow in the program below. There is obviously a buffer overflow and my job is to make it say "You won!" instead of "You lost!".

I am quite stumped because I know I can insert code into the buffer that will print out "You won" when referenced, but I don't know how to actually get to the real function call.

My idea is that I need to point the return address to the won() function's address, but I do not know how to get that address.

Any ideas are much appreciated.

Code: [Select]

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>

void win() {

printf( "You Won!");
}
void lose() {
printf( "You lost!");
}

int check(char *name) {
char buffer[16];

strcpy( buffer, name );

printf( "Your name is: %s \n", buffer);
printf( "The buffer address is [%p].\n", &buffer );
// Call the random function
srand(time(NULL));

return rand();

}

int main(int argc, char **argv) {
int randnum;
randnum = check(argv[1]);
if(randnum < 5) {
win();
} else {
lose();
}
// Return everything is OK
return( 0 );

}



[TheWormKill]

When you run your program inside a debugger or analyze it in a static context, you can either view a list of
functions directly, or are at least able to look at the assembly code of your main function. If you do the latter,
just find the instruction that calls the win function, which will reference it by it's address. Tools like readelf and
objdump (assuming you are on a unix-like system) will serve that purpose as well, but remember that this will
require at least some knowledge of the binary's internals and assembly, so you might want to educate yourself
in that field first.

[Trevor]

Let's try to explain this in simpler language.

As you might have figured out, buffer overflow occurs when you fill in more data than was actually reserved for it.

In the context of the program, the buffer array has been allocated 16 bytes. If you put in more than 16 bytes, a buffer overflow occurs. As a result of buffer overflow, you overwrite memory in the region immediately following the buffer.

To exploit this buffer overflow you need to understand how a function call happens.

In x86 assembly, function calls are usually done via the call instruction. What this instruction does is change the instruction pointer (in simpler terms, the current line of code being executed) to the function address. Before transferring control, it saves the current instruction pointer (IP) on the stack. The IP is saved so that the processor can return the control to the caller after it has executed the callee function.

Now both the buffer array and the IP is saved on the stack. The buffer array has a max capacity of 16 bytes. So naturally, if you keep fill in more than 16 bytes, it will overwrite the memory in the rejoining adjoining the buffer.

With carefully crafted input, it is possible to overwrite the saved IP on the stack (as both the buffer and IP are located on the stack). The consequence of this is when the function tries to return, it will use the overwritten value instead of the original saved IP.

If you supply a specially crafted input which overwrites the saved IP with the address of the win() function while calling check(), you have exploited the buffer overflow. This is exactly the thing you need to do.

[Karmic]

Thanks a lot guys. I understand what you're saying about the memory address and I think I was dolng it wrong before by overwriting EIP with the address of the call instruction not the address of the function.

Now, what is really racking my brain is how to make a program that will run the vulnerable program and find the correct memory address of the win() function.

[Trevor]

You don't need to write another program that will run the vulnerable program and find the correct memory address....

You can use a disassembler for finding the function addresses. You may use IDA although it is too heavyweight for  this simple task.

Here is a screenshot from IDA. The source has been compiled with VS.
The address of the function win is 0x401000. This will be different for your case.

[novaccainne]

Fist of all, you should learn the basics of binaries.  I suggest you start to read (and DOING exercises day by day) the Shellcoders handbook. It can be found on the following link or use google if you don't want to buy or support the authors (shellcoders handbook pdf download) : 

http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/047008023X

Some useful tools :

- http://security.cs.pub.ro/hexcellents/wiki/kb/toolset/peda
- https://github.com/pwntester/cheatsheets/blob/master/radare2.md
- http://www.amazon.com/Assembly-Language-Step-Step-Programming/dp/0470497025

If you really liked it and you would like to know more and want to dig deeper then check the following pages :
- https://tuts4you.com/download.php?list.97
- https://tuts4you.com/download.php?list.17
- http://www.fuzzysecurity.com/tutorials.html
- https://www.corelan.be/index.php/articles/
- https://thesprawl.org/research/latest/