1

I have an exercise that asks of me to produce a seg.fault. In my understanding i can do that by overflowing the buffer. So all i need to do is provide an input(Name) bigger than a certain size(covering the return address). So if buf,i and c hold 52 Bytes and ebp 4,then the return address should be after 56 bytes. So if i give an input bigger than 56, it should produce a seg.fault. Is my thinking correct ? I tried with those numbers but it still runs and exit correctly.(UNIX-32bit)

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

#define BUFSIZE 44

char grade = '3';
char Name[BUFSIZE];

void readString(char *s) {
   char buf[BUFSIZE];
   int i = 0;
   int c;

   while (1) {
      c = fgetc(stdin);
      if ((c == EOF) || (c == '\n'))
         break;
      buf[i++] = c;
   }
   buf[i] = 0;

   for (i = 0; i < BUFSIZE; i++)
      s[i] = buf[i];

   return;
}

int main(void) {
   mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
            PROT_READ | PROT_WRITE | PROT_EXEC);

   printf("What is your name?\n");
   readString(Name);

   exit(0)
}
Improve this question
1
  • Alternate segfault: int ohno = *((int*)NULL); printf("%d", ohno);
    – user7881131
    Commented May 17, 2017 at 1:36

2 Answers 2

Reset to default
1

This bit of code is protecting you from a segfault.

for (i = 0; i < BUFSIZE; i++)
      s[i] = buf[i];

You may run off of the end of the buf array but that is on the stack.

Why not just this?

*(int*)(0x00000000) = 0;
Improve this answer
2
  • The exercise is called Buffer Overrun Attack so i must assume that they want me to do it that way. Anyway if you write on the stack on the return address (EIP) , shouldn't that produce one if the return address is somewhere else ?
    – GKoo
    Commented May 17, 2017 at 7:44
  • scratch that, i did it by making i too big.
    – GKoo
    Commented May 18, 2017 at 19:30
0

in my opinion,the stack was word aligned,if your buf[BUFSIZE],it will have a hole with the local i and c variable.it's disassembly code like this:

  4005d4:   55                      push   %rbp
  4005d5:   48 89 e5                mov    %rsp,%rbp
  4005d8:   48 83 ec 50             sub    $0x50,%rsp
  4005dc:   48 89 7d b8             mov    %rdi,-0x48(%rbp)
  4005e0:   c7 45 f8 00 00 00 00    movl   $0x0,-0x8(%rbp)

it's stack create 90 bytes,so u want to change rbp must input a lot. so if u want change the other value like rbp,u must input more than 64. unfortunately,it may didn't work,because when u go through the i location,your input value will change the i value,so the buff[i++] may not the position u want.so the best way to change rpb is just jump through the stack which subed in the first.

Improve this answer
2
  • the i value will not changed,because the gcc use register store i value,unless u add volatile before i variable。
    – Nightkids_008
    Commented May 17, 2017 at 3:16
  • if u just want crash,just call abort
    – Nightkids_008
    Commented May 17, 2017 at 3:17

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.