I've been looking at an exercise on buffer overflows and the stack return address. The idea is to overflow a buffer in front of the stack return address and swap in a different address to execute a different part of the code than intended. So a simple example would look like this:
Code:
1 #include <stdio.h>
2 #include <string.h>
3
4 int wordcheck (char *word) {
5 char string[5];
6 strcpy(string,word);
7 if (strcmp(string,"this")==0) return 0;
8 else return -1;
9 }
10
11
12 int main(int argc, char *argv[]) {
13 if (wordcheck(argv[1])<0) puts("word wasn't this");
14 else puts("word was this");
15 }
where you could use perl to create an argv[1] like this:
./a.out $(perl -e 'print "ZZZZZZZZZZZZZZZ\xff\x56\xc2\x80")
which would overwrite the stack return address with the address 80c256ff, in theory a different point in the program than we were supposed to go to.
So, using gdb and following this exercise, I've gotten to the point where I've set a breakpoint at line 6, so I can examine the $esp and see the stack frame, which should contain some padding, the storage for char string[5], some padding, then the return address. Unfortunately, in the exercise it's not explained how to identify the the return address, it's just indicated (so you can figure out how many ZZZZ's to use). I think it should be the location of an address which corresponds to an instruction:
Code:
Dump of assembler code for function main:
0x0804843b <main+0>: lea 0x4(%esp),%ecx
0x0804843f <main+4>: and $0xfffffff0,%esp
0x08048442 <main+7>: pushl 0xfffffffc(%ecx)
0x08048445 <main+10>: push %ebp
0x08048446 <main+11>: mov %esp,%ebp
0x08048448 <main+13>: push %ecx
0x08048449 <main+14>: sub $0x4,%esp
0x0804844c <main+17>: mov 0x4(%ecx),%eax
0x0804844f <main+20>: add $0x4,%eax
0x08048452 <main+23>: mov (%eax),%eax
0x08048454 <main+25>: mov %eax,(%esp)
0x08048457 <main+28>: call 0x80483d4 <wordcheck>
0x0804845c <main+33>: test %eax,%eax
0x0804845e <main+35>: jns 0x804846e <main+51>
0x08048460 <main+37>: movl $0x8048565,(%esp)
0x08048467 <main+44>: call 0x80482e8 <puts@plt>
0x0804846c <main+49>: jmp 0x804847a <main+63>
0x0804846e <main+51>: movl $0x8048576,(%esp)
0x08048475 <main+58>: call 0x80482e8 <puts@plt>
0x0804847a <main+63>: add $0x4,%esp
0x0804847d <main+66>: pop %ecx
0x0804847e <main+67>: pop %ebp
0x0804847f <main+68>: lea 0xfffffffc(%ecx),%esp
0x08048482 <main+71>: ret
End of assembler dump.
I don't understand assembly, but I figure I should be able to hack through this IF I'm right about how to identify the return address of the stack frame. Or?