Buffer Overflow question

[zazza]

Hello all
First of all nice site
I'm reading vinnu's access denied book and I'm at the buffer overflow section (Rocket & Missile Theories & Manufacturing)
The problem is that I can't make overflow.exe program (the first program example) to overwrite eip with an address. I've identified the address I want to make it go and I think I input the correct string to make the buffer overflow and go to address 00401039, which I believe is this part of the program (from my assembly analysis):

Code:

cout << "This is a buffer overflow example." << endl;
cout << "If string buffer will exceed 15 bytes, it will cause an
overflow." << endl;
strcpy (name, argv[1]);
system("PAUSE");
return EXIT_SUCCESS;

The string I input is this:

AAAAAAAAAAAAAAAAAAAAAAAA9^P@

I attached cheat engine to the program (as it's the only 'debugger' I know how to use) and verified that the return address is overwritten with my address but still it doesn't work (see image attachment)

The program crashes after the pause, it doesn't re-execute the code at address 00401039 so I think it doesn't make it to eip.

I'm doing it on windows xp.

Can anybody help me please?

Thank you

[revsec]

im intresting in access denied "vennu " book. can u upload it

TIA

[sebas_phoenix]

Hello all
First of all nice site
I'm reading vinnu's access denied book and I'm at the buffer overflow section (Rocket & Missile Theories & Manufacturing)
The problem is that I can't make overflow.exe program (the first program example) to overwrite eip with an address. I've identified the address I want to make it go and I think I input the correct string to make the buffer overflow and go to address 00401039, which I believe is this part of the program (from my assembly analysis):

Code:

cout << "This is a buffer overflow example." << endl;
cout << "If string buffer will exceed 15 bytes, it will cause an
overflow." << endl;
strcpy (name, argv[1]);
system("PAUSE");
return EXIT_SUCCESS;

The string I input is this:

I attached cheat engine to the program (as it's the only 'debugger' I know how to use) and verified that the return address is overwritten with my address but still it doesn't work (see image attachment)

The program crashes after the pause, it doesn't re-execute the code at address 00401039 so I think it doesn't make it to eip.

I'm doing it on windows xp.

Can anybody help me please?

Thank you

Hello, How do you expect "AAAAAAAAAAAAAAAAAAAAAAAA9^P@" to overwrite the saved EIP as '0x00401039' , as you can see, it contains 2 bytes that are non-printable 0x00 and 0x10, what you can do (assuming 0x00401039 points to the shellcode) is that , give this as the input : <no of chars to overwrite EIP>+"\x39\x10\x40" (strcpy automatically adds a 0x00) at the end. Use perl or python from the command line to give the input. Also, one more thing is that you can never directly modify EIP, what you are actually modifying is the saved return address that is stored in the stack!

[zazza]

Hello sebas_phoenix
Thank you for the reply. I'm a beginner in this field so sorry for my ignorance. I'm not doubting what you said, just wondering.

In the access denied book, vinnu wants this address:0x0040107E and gives this input: <AA...>~^P@ (^P is actually ctrl+P). The only unprintable character in my address (0x00401039) is 0x10 and as you said, strcpy automatically adds the first 0x00. So for 0x10 I used ctrl+P as vinnu did and watching the image I attached above (circled in red) it seems that the return address is overwritten with my address. Isn't that enough? But still the program crashes...
I want to do it from the command prompt as in the tutorial, not using python / perl command line.

Thank you

[sebas_phoenix]

Hello sebas_phoenix
Thank you for the reply. I'm a beginner in this field so sorry for my ignorance. I'm not doubting what you said, just wondering.

In the access denied book, vinnu wants this address:0x0040107E and gives this input: <AA...>~^P@ (^P is actually ctrl+P). The only unprintable character in my address (0x00401039) is 0x10 and as you said, strcpy automatically adds the first 0x00. So for 0x10 I used ctrl+P as vinnu did and watching the image I attached above (circled in red) it seems that the return address is overwritten with my address. Isn't that enough? But still the program crashes...
I want to do it from the command prompt as in the tutorial, not using python / perl command line.

Thank you

First of all, no need to be sorry. Ok , what does 0x00401039 contain? I am guessing that address contain some other part of the code since typically 0x00401000 is where the loader loads the executable image. Can you specify the "entire" code so that it might be easy for me to understand what the program does completely. As for as the command line part, it is better you get acquainted with perl/python , makes your life easier..

[zazza]

Hello
Thanks for the reply
This is the entire program:

Code:

/* overflow.cpp */
#include <iostream>
using namespace std;
int main (int argc, char* argv[])
 {
char name[15];
if ( argc < 2)
 {
fprintf (stderr, "Usage:\n%s <string>", argv[0]);
exit(-1);
}
cout << "This is a buffer overflow example." << endl;
cout << "If string buffer will exceed 15 bytes, it will cause an
overflow." << endl;
//----------------buffer overflows section code-------------
strcpy (name, argv[1]);
//-----------------buffer overflow section end-------------
system("PAUSE");
return EXIT_SUCCESS;
}

At address 0x00401010 this instruction resides: cmp dword ptr [ebp+08],02 which I can tell is the if ( argc < 2) part, then at the next address this instruction resides: jnl 00401039, which is the jump to the 'main' part of the program, so I decided to redirect it directly to that address.

Even if I input the string that vinnu provided to redirect the execution back to ‘main’ function (address 0x0040107E), which is AAAAAAAAAAAAAAAAAAAA~^P@ (^P is ctlr+P), it still crashes. Isn't that strange? I though that since xp doesn't have the aslr feature, an exploit code will work on every xp machine that runs that program...

[sebas_phoenix]

Hello
Thanks for the reply
This is the entire program:

Code:

/* overflow.cpp */
#include <iostream>
using namespace std;
int main (int argc, char* argv[])
 {
char name[15];
if ( argc < 2)
 {
fprintf (stderr, "Usage:\n%s <string>", argv[0]);
exit(-1);
}
cout << "This is a buffer overflow example." << endl;
cout << "If string buffer will exceed 15 bytes, it will cause an
overflow." << endl;
//----------------buffer overflows section code-------------
strcpy (name, argv[1]);
//-----------------buffer overflow section end-------------
system("PAUSE");
return EXIT_SUCCESS;
}

At address 0x00401010 this instruction resides: cmp dword ptr [ebp+08],02 which I can tell is the if ( argc < 2) part, then at the next address this instruction resides: jnl 00401039, which is the jump to the 'main' part of the program, so I decided to redirect it directly to that address.

Even if I input the string that vinnu provided to redirect the execution back to ‘main’ function (address 0x0040107E), which is AAAAAAAAAAAAAAAAAAAA~^P@ (^P is ctlr+P), it still crashes. Isn't that strange? I though that since xp doesn't have the aslr feature, an exploit code will work on every xp machine that runs that program...

Well, I guess the problem is because when overwriting the saved EIP, you overwrite the saved EBP too, and when redirecting code to the main function after the check to see if argc<2, there exists a strcpy() which takes as one of its parameters the argv[1], this will be referenced as an offset with respect to ebp then going inside the pointer to pointer to get our argv[1]. Since ebp is corrupt coz of overflow, this might crash. Or i guess CRTStartup() is the function that sets up stuff before calling main, so main returns to CRTStartup() in windows, there might be problem in the function epilogue of main. These are the two things I can think of now without seeing it in the debugger.

Hope it helps.

[zazza]

Hello
Hmm... So it would be worth trying to redirect it to this command system("PAUSE"); to see if it the problem is a faulty ebp value right?

I got another question, isn't there a way to overwrite only the saved eip value? I learned that this is how the stack of a function looks:

null termination
data buffer
saved ebp
saved eip

As eip is under ebp, shouldn't I be able to overwrite eip only? I mean using a string whose length will just overwrite the saved eip value.

Thank you for your help! I really appreciate it

["vinnu"]

Namast

This discussion is interestingly going on. The problem could be in stack validation routine if compiled default. This routine will not let the execution of the program if stack check will fail. This is also called /Gs protection
Compile the program using followi ng syntax to avoid the /Gs protection:
CL /gs overflow.cpp
Remember to build the project in IDE and compile via command console
VC gui doesnt by default apply this switch while compiling

Also provide the address of the first byte of the routine that you want to execute. pointing execution anywhere in mid of the routine will also fail the execution without achieving intended results...."vinnu"

[sebas_phoenix]

Hello
Hmm... So it would be worth trying to redirect it to this command system("PAUSE"); to see if it the problem is a faulty ebp value right?

I got another question, isn't there a way to overwrite only the saved eip value? I learned that this is how the stack of a function looks:
As eip is under ebp, shouldn't I be able to overwrite eip only? I mean using a string whose length will just overwrite the saved eip value.

Thank you for your help! I really appreciate it

Hmm, the stack grows from higher memory address to a lower memory address, which means that the saved ebp gets overwritten before the saved eip. There are ways you can overwrite just the saved eip, but that would require some pointer manipulation. Basically something like this,

void dummy(char *str,char *str1) //assume this is user supplied
{
char *ptr=NULL; //initially points to NULL
char buf[256];
strcpy(buf,str); //in here overwrite the pointer so that it points to the address where the saved EIP is stored in the stack
strcpy(ptr,str1);//overwrite the saved eip with the value of your choice
}
Note that this is just a sample code to show you it is possible to overwrite saved eip without touching the saved ebp. This will also bypass the GS cookies compiler protection.

As Vinnu bro said, GS cookies might also be the reason why your code seg faults. And yeah try till system("PAUSE") and note the effects. Hope it helps