0

I'm trying to execute a function with ROP attack using buffer-overflow.

MyCode:

  1 #include <stdio.h>
  2 #include <string.h>
  3 
  4 void jumphere(){
  5     printf("SUCCESS!!");
  6 }
  7 
  8 int main(int argc, char** argv){
  9     char buffer [8];
 10     strcpy(buffer, argv[1]);
 11 
 12     printf("%s\n", buffer);
 13 
 14     return 0;
 15 }

The goal is to execute jumphere function giving a certain input.

At the end of the main function, when ret instruction is executed, I figured out what $eip points, and I overwrote that address with jumphere function's address.

I succeeded to jump to jumphere function, but that didn't print "SUCCESS".

To find the reason, I made another simple code which prints a string.

SimpleCode:

  1 #include <stdio.h>
  2 #include <string.h>
  3 
  4 void printing(){
  5     printf("SUCCESS");
  6 }
  7 
  8 int main(int argc, char** argv){
  9     printing();
 10 }

The difference between the two codes was that:

In SimpleCode, the instruction flow goes to printingfunction just after call <printing>, and comes back to main function when printing ends. The string was printed when ret of main is executed.

But in MyCode, it goes to jumphere after main function ends, and doesn't come back to main.

How can I solve this problem?

yoon
  • 1,177
  • 2
  • 15
  • 28
  • 2
    Depending on stack layout and what you have done exactly, the program might crash before it has a chance to flush output buffers. Append a newline to your string and see if that helps. – Jester Jun 13 '19 at 19:32
  • @Jester Wow........ Thanks Jester. IT WORKS. Could you tell me why newline holds the crash before printing the string? How can "\n" do such thing... – yoon Jun 13 '19 at 20:04
  • 1
    stdout is line-buffered by default, or full-buffered if not connected to a terminal. – Peter Cordes Jun 13 '19 at 20:16

0 Answers0