buffer overflow exploit change function call

Question

I am trying to perform a buffer overflow to change the call from function A to function B. Is this do-able? I know I will have to figure out how many bytes I have to enter until I have control over the return pointer, and figure out the address of function B. Is it possible to alter it so that after "x==10" we inject function B's address instead of functionA? Edit: Is it possible that after fillbuff is called, instead of returning to main, we send it to function B? Any hints is appreciated.

int fillBuff(int x){
    char buff[15];
    puts("Enter your name");
    gets(buff);
    return(x + 5);
}

void functionA(){
    puts("I dont want to be here");
    exit(0);
}
void functionB(){
    printf("I made it!");
    exit(0);
}


int main(){
    int x;
    x = fillbuff(5);
    if (x == 10){
        functionA();
    }
}

you should put void in the parameter braces of functions if they are being declared with no parameters, by the way. Leaving them empty doesn't mean no parameters. — Bobby Sacamano, Nov 20 '15 at 03:51
See this answer: http://stackoverflow.com/a/27214515/3846218 — AlexPogue, Nov 20 '15 at 03:56

ViniciusArruda · Accepted Answer · 2015-11-20T04:12:09.550

2

Here is an article that shows how to do it: http://insecure.org/stf/smashstack.html.

Compile your program like this: gcc -g -c program.c (with the -g) and run gdb ./a.out. After, run the command disas main. You should see the disassemble of your code and how it is organized in your memory. You can replace the main function to any other function and see its code. For more information about disassemble see: https://sourceware.org/gdb/onlinedocs/gdb/Machine-Code.html

Running GDB and disassembling the functions on my computer, the address of functionA() is 0x400679 and the address of functionB() is 40068a. If you see the disassemble code of main function, there is a call to the address 0x400679, and what you want is to change it to 40068a. Basically, you have to overflow the buffer in function fillBuff and after reaching the space of the pointer, you have to fill with the address. The article shows how to do it.

edited Nov 20 '15 at 04:12

answered Nov 20 '15 at 03:51

ViniciusArruda

970
12
27

If you're going to use a debugger, ollydbg/EDB (depending on your OS) are a bit better suited to this kind of thing, since they have a gui that displays register and memory values and highlights when those values are changed. If you were just planning on using GDB to dump the assembly and not step through it, it doesn't really matter that much though. – Bobby Sacamano Nov 20 '15 at 04:14
1

Yes, the DDD (https://www.gnu.org/software/ddd/) is a front-end for command-line GDB debbuger. – ViniciusArruda Nov 20 '15 at 04:17
Thank you. This was extremely helpful – Nych Nov 20 '15 at 04:21

Bobby Sacamano · Answer 2 · 2015-11-20T03:55:09.570

Buffer overflows are undefined behavior in C. Nothing is guaranteed to occur when you buffer overflow, and as far as I'm aware the language doesn't require a specific memory layout for local variables and/or stored return addresses. In addition to this, some compilers insert stack protectors to make buffer overflow attacks more difficult.

If you want to have defined behavior, you are going to need to look at the assembly produced and figure out what a buffer overflow is going to do. Based on the assembly produced, you can determine the stack layout and the address layout and try to overwrite the return address with a different function's address.

If you're using GCC, the command line option to print out the assembly is -Wa,-al. If you want Intel syntax, add -masm=intel.

buffer overflow exploit change function call

2 Answers2