Thread: I want to cause a buffer overflow to call a function

Hello!
I tried to cause a buffer overflow, and i need some expert here.

I want to call the "callme" function in the little program i've written below:

Code:

#include "stdio.h"
#include "stdlib.h"

void io(void);
void callme(void);

int main() {
    
    io();
    return 0;
}

void io(void) {
    
    char input[16];
    printf("input:\n");
    scanf("%s", input);
    printf("%s\n", input);
}

void callme(void) {
    printf("you made it!\n");
}

Okay now, what i want is to redirect the flow:

from main to io()
from io() instead of return to main() i want to go to callme(), and then i dont care anymore.

with gdb i found out that the callme address should be:

0x4013db
40 13 db

-> to little endian

db 13 40

-> to decimal

219 19 64

-> to ascii

Û @

okay, now I am not sure where to enter this, when receiving an input, it crashes when i put in 24 characters. 23 is okay. But does that mean my return address is stored at the 24th? Probably not.

i tried input values like:

abcdefghijklmnopqrstuvwÛ @

but the program simply crashed, and

abcdefghijklmnopqrstuvÛ @

just did nothing, it printed it again.


I'm still a beginner in this field, I'm happy with any advice! Even if I'm terribly wrong with what I did so far!

Are you aware of the fact that the code of the function is actually stored in the memory?

As I assume you already know, you can point to the memory with pointers...

So the code of a function is in memory, so you can point to them, by function-pointers .

Maybe this can helps you...

Originally Posted by xatrixx

I'm still a beginner in this field, I'm happy with any advice!

What is the name of the field you are referring to?

Also welcome to the forum!

You should always read the forum guidelines (link) before you join/post to a forum. Clearly you didn't do that here, or you chose to ignore rule #6, which states clearly:

6. Messages relating to cracking, (erroneously called "hacking" by many), copyright violations, or other illegal activities will be deleted. Due to the overlapping boundaries of code with malicious intent, and other legitimate uses of it, the moderators will assess each potential infraction on a case by case basis.

Unfortunately, your post is a prime example of malicious intent. Sorry we can't help you.

Maybe I have to stop being so naive...

std100093: The name of the field I'm referring to is low-level programming (assembly, stack, memory, registers etc).

Why is this rule applying here?

I am not doing anything bad. This is my own program, and I'm trying to LEARN from it. I want to understand how the stack works, I want to understand how the registers works. In the end, this might be a helpful thing for a "bad guy", but as long as I am doing this locally, on my own program, trying to learn how a stack frame works and what it contains, and what possibilities C functions like scanf give me, I do not understand the issue.

But hey, i respect your rule, and it's possibly simply the wrong board to ask then.
I just thought people of a serious C forum can differ from playing around in the stack frame and intending to write malicious software.

Thanks anyways!

As mentioned above, we assess these things on a case-by-case basis. In this case, I think the question is fine.

Originally Posted by webmaster

As mentioned above, we assess these things on a case-by-case basis. In this case, I think the question is fine.

Thank you!

Now back to topic. I don't want to modify any code std. I just want to change the return address, shouldn't this be saved in ESP? (stack pointer)

The return address is saved on the stack, but there are many other things saved on the stack, too.

For example, depending on the calling convention, the callee may have to preserve some/all registers. So for example, if the compiler compiles your function using 3 registers, the original values of those 3 registers may have to be pushed onto the stack as well (so they can be restored before the function returns).

Other local variables also live on the stack.

But does that mean my return address is stored at the 24th? Probably not.

Why not? That's entirely possible.

Are you aware of the fact that the code of the function is actually stored in the memory?

As I assume you already know, you can point to the memory with pointers...

So the code of a function is in memory, so you can point to them, by function-pointers .

Yes, but the code is not stored on the stack.

Originally Posted by cyberfish

The return address is saved on the stack, but there are many other things saved on the stack, too.

For example, depending on the calling convention, the callee may have to preserve some/all registers. So for example, if the compiler compiles your function using 3 registers, the original values of those 3 registers may have to be pushed onto the stack as well (so they can be restored before the function returns).

Other local variables also live on the stack.


Why not? That's entirely possible.



Yes, but the code is not stored on the stack.

Hi thanks for this reply. Thanks, i know about caller/callee saved registers, but is this a problem here? This would just mean the program crashes later right? But if all i want is to jump into my function, then whatever can happen I should be okay.

About the:
Why not? That's entirely possible.

My question: How can I ensure that. Is this a "guessing" work?

And finally: What would be the input I have to make? How can I get there what would be the steps? Did I even convert my address correctly ready to use in command line?

You cannot control how much data the compiler will have your code push onto the stack. C doesn't give you that level of control.

If you want to do this experiment, you should do it in assembly.

And finally: What would be the input I have to make? How can I get there what would be the steps? Did I even convert my address correctly ready to use in command line?

The OS will actually randomize the address each time your program is run. It's a safety feature to prevent exactly this kind of attack (or at least make them a lot harder).

Originally Posted by cyberfish

The OS will actually randomize the address each time your program is run. It's a safety feature to prevent exactly this kind of attack (or at least make them a lot harder).

Oh I understand. Looks like this task is already a step too hard for me?

Does this also apply for windows? I know linux has stack randomization.

I am actually not sure about Windows either. I only know Linux does it.