Thread: Overwrite SRET by overflow

  1. #1
    Registered User
    Join Date
    Nov 2019

    Overwrite SRET by overflow


    I am trying to overflow an unsigned short variable in order to overwrite a save return address and point it to an address of my preference. Let's assume the address I want to point it to is 0xbfffffff (assume it exists and is a valid accessible address).

    ​int main(int argc, char** argv) {
        char *buff;
        unsigned short size, i, argumentNum, randomUnusedVar;
        size = 65535;
        // trying to overflow
        buff = alloca(size + 1);
        memset(buff, '-', size+1);
        // read for arguments
        for (i = 1; i < argc; i++) {
            // assume input can only be %c%d i.e. a0 c10 b4  
            argumentNum = atoi(argv[i] + 1);
            // assume there is some sort of protection against out of bounds access unless overflow
            if (argumentNum >= size) {
               return 1;
            // assume there is protection against writing any string
            // only single characters may be written
            buff[argumentNum] = argv[i][0];
        return 0;
    Executing the code above with arguments like a0 q10 z513 will result in characters a,q,z being written somewhere on the stack(whatever alloca() pointed buff to).

    I was wondering if there is that "single character write-only protection" against writing strings, executing the program with input like buff[66357] = "0xbfffffff"; would be prevented.

    However, I am unsure whether it is still impossible to overwrite the save return address in some way even if our made-up program has this protection.

    P.S. I am doing this for education purposes in a local environment with disabled stack protection in the gcc compiler.

  2. #2
    Registered User
    Join Date
    Dec 2017
    #include <stdio.h>
    int main() {
        unsigned short size = 12345;
        char buff[10];
        printf("%d\n", size); // 12345
        buff[-1] = 0xff;
        printf("%d\n", size); // 65337 (for me, at least)
        return 0;
    The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts. - Bertrand Russell

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Don't overwrite this space!!!!
    By mesmer in forum C Programming
    Replies: 4
    Last Post: 10-27-2008, 01:21 PM
  2. OT:force overwrite with cp
    By rotis23 in forum Linux Programming
    Replies: 12
    Last Post: 07-06-2004, 11:11 AM
  3. how to overwrite the text in *.txt
    By SuperNewbie in forum C# Programming
    Replies: 4
    Last Post: 11-10-2003, 09:01 AM
  4. Add not overwrite to a file
    By Bones in forum C++ Programming
    Replies: 7
    Last Post: 10-03-2003, 09:56 AM
  5. anything to overwrite a char array?
    By Nutka in forum C Programming
    Replies: 7
    Last Post: 10-26-2002, 02:40 PM

Tags for this Thread