1

I am working through the OverTheWire Narnia wargame and I don't completely understand one of my buffer overflow solutions.

The following code is what is confusing me.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char * argv[]){
    char buf[128];

    if(argc == 1){
        printf("Usage: %s argument\n", argv[0]);
        exit(1);
    }
    strcpy(buf,argv[1]);
    printf("%s", buf);

    return 0;
}

My solution uses the lack on length checking on the strcpy function to overflow main's return address. There are 8 bytes of unused memory between the end of the 128 bytes reserved for buf and the start of the stack frame control data (the saved ebp and return address). Hence, my payload needs to be 8 bytes longer than I originally thought to overflow the control data (144 bytes instead of 136). Stack canaries are not being used. What are the possible reasons for the 8 bytes of unused memory?

uname -a: Linux melinda 4.9.15-x86_64-linode81 #1 SMP Fri Mar 17 09:47:36 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

gcc --version: gcc (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4

Here is the output of disassemble main in gdb:

   0x0804845d <+0>:     push   %ebp
   0x0804845e <+1>:     mov    %esp,%ebp
   0x08048460 <+3>:     and    $0xfffffff0,%esp
   0x08048463 <+6>:     sub    $0x90,%esp
   0x08048469 <+12>:    cmpl   $0x1,0x8(%ebp)
   0x0804846d <+16>:    jne    0x8048490 <main+51>
   0x0804846f <+18>:    mov    0xc(%ebp),%eax
   0x08048472 <+21>:    mov    (%eax),%eax
   0x08048474 <+23>:    mov    %eax,0x4(%esp)
   0x08048478 <+27>:    movl   $0x8048560,(%esp)
   0x0804847f <+34>:    call   0x8048310 <printf@plt>
   0x08048484 <+39>:    movl   $0x1,(%esp)
   0x0804848b <+46>:    call   0x8048340 <exit@plt>
   0x08048490 <+51>:    mov    0xc(%ebp),%eax
   0x08048493 <+54>:    add    $0x4,%eax
   0x08048496 <+57>:    mov    (%eax),%eax
   0x08048498 <+59>:    mov    %eax,0x4(%esp)
   0x0804849c <+63>:    lea    0x10(%esp),%eax
   0x080484a0 <+67>:    mov    %eax,(%esp)
   0x080484a3 <+70>:    call   0x8048320 <strcpy@plt>
   0x080484a8 <+75>:    lea    0x10(%esp),%eax
   0x080484ac <+79>:    mov    %eax,0x4(%esp)
   0x080484b0 <+83>:    movl   $0x8048574,(%esp)
   0x080484b7 <+90>:    call   0x8048310 <printf@plt>
   0x080484bc <+95>:    mov    $0x0,%eax
   0x080484c1 <+100>:   leave
   0x080484c2 <+101>:   ret

So I guess it's the and $0xfffffff0,%esp command that's causing the extra space, but why is that instruction necessary?

dippynark
  • 2,743
  • 20
  • 58
  • What does `uname -a` show. What does `/etc/issue.net` have in it and what version off gcc is shown by `gcc --version`. Sounds like it might be alignment related, but depending on how old the Linux is it may just be the ay your old compiler laid out the locals. – Michael Petch May 09 '17 at 08:01
  • I don't have access to a computer that I can install putty on or an internet connected Linux machine, I will look tonight – dippynark May 09 '17 at 08:03
  • uname -a: Linux melinda 4.9.15-x86_64-linode81 #1 SMP Fri Mar 17 09:47:36 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux – dippynark May 09 '17 at 08:06
  • gcc --version: gcc (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4 – dippynark May 09 '17 at 08:07
  • cat /etc/issue.net: This is the OverTheWire game server. More information on http://www.overthewire.org/wargames Please note that wargame usernames are no longer level, but wargamename e.g. vortex4, semtex2, ... Note: at this moment, blacksun is not available. – dippynark May 09 '17 at 08:08
  • Can you add `-S` to the _GCC_ command line and add to your question the output of the generated `.s` file? – Michael Petch May 09 '17 at 08:17
  • Stack canaries [are being used](http://stackoverflow.com/questions/10325713/why-does-this-memory-address-have-a-random-value). – Hans Passant May 09 '17 at 10:19
  • I agree they are being used in the output of `gcc -S narnia2.c` but the actual program you need to hack has been compiled with extra flags to remove the stack protection, I'm not sure exactly the command used as I didn't compile it, the compiled binary and source are provided for you on the box – dippynark May 09 '17 at 11:29
  • I'll change my question to make that more clear, as it isn't at the moment – dippynark May 09 '17 at 11:30
  • I have included the output of the main function from gdb so you can see the exact instructions being executed – dippynark May 09 '17 at 11:54
  • http://stackoverflow.com/a/1062143/371250 http://stackoverflow.com/questions/4175281/what-does-it-mean-to-align-the-stack – ninjalj May 09 '17 at 11:58
  • You can [override this behavior in _GCC_](https://gcc.gnu.org/onlinedocs/gcc-4.3.4/gcc/i386-and-x86_002d64-Options.html) by using `-mpreferred-stack-boundary=2` but be forewarned that calling into some _C_ library functions or external libraries (or anyone that calls them directly or indirectly) may fault because of alignment issues. – Michael Petch May 09 '17 at 16:08
  • `and $0xfffffff0,%esp` makes sure that the stack is 16-byte aligned per the i386 Linux System V ABI. That instruction effectively rounds _ESP_ down to the nearest 16-byte boundary.You'll see this instruction in the generation of `main` by GCC on i386 targets. The idea is that when you call another function, at the time of the call the stack needs to be on such a boundary – Michael Petch May 09 '17 at 16:19
  • Beautiful, thanks guys, all the stuff above has everything I wanted to know – dippynark May 09 '17 at 16:24

0 Answers0