19

I'm attempting to write a simple buffer overflow using C on Mac OS X 10.6 64-bit. Here's the concept:

void function() {
    char buffer[64];
    buffer[offset] += 7;    // i'm not sure how large offset needs to be, or if
                            // 7 is correct.
}

int main() {

    int x = 0;
    function();
    x += 1;
    printf("%d\n", x);      // the idea is to modify the return address so that
                            // the x += 1 expression is not executed and 0 gets
                            // printed

    return 0;
}

Here's part of main's assembler dump:

...
0x0000000100000ebe <main+30>:   callq  0x100000e30 <function>
0x0000000100000ec3 <main+35>:   movl   $0x1,-0x8(%rbp)
0x0000000100000eca <main+42>:   mov    -0x8(%rbp),%esi
0x0000000100000ecd <main+45>:   xor    %al,%al
0x0000000100000ecf <main+47>:   lea    0x56(%rip),%rdi        # 0x100000f2c
0x0000000100000ed6 <main+54>:   callq  0x100000ef4 <dyld_stub_printf>
...

I want to jump over the movl instruction, which would mean I'd need to increment the return address by 42 - 35 = 7 (correct?). Now I need to know where the return address is stored so I can calculate the correct offset.

I have tried searching for the correct value manually, but either 1 gets printed or I get abort trap – is there maybe some kind of buffer overflow protection going on?

Using an offset of 88 works on my machine. I used Nemo's approach of finding out the return address.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
ryyst
  • 9,563
  • 18
  • 70
  • 97
  • You might get garbage in you registers in the main function if your stack doesn't get cleaned up and saved registers restored. Who is responsible for this is determined by the function calling conventions that are used by your compiler. http://en.wikipedia.org/wiki/X86_calling_conventions – x4u Jun 02 '11 at 20:59
  • should you tag this as homework or something? you might not want people to think you're doing this for purposes other than learning. – filipe Jun 02 '11 at 21:51
  • 1
    @filipe: Did so, I hadn't done so originally since this is really basic (you learn it in the first year of university). – ryyst Jun 02 '11 at 22:36

5 Answers5

13

This 32-bit example illustrates how you can figure it out, see below for 64-bit:

#include <stdio.h>

void function() {
    char buffer[64];
    char *p;
    asm("lea 4(%%ebp),%0" : "=r" (p));  // loads address of return address
    printf("%d\n", p - buffer);         // computes offset
    buffer[p - buffer] += 9;            // 9 from disassembling main
}

int main() {
    volatile int x = 7;
    function();
    x++;
    printf("x = %d\n", x); // prints 7, not 8
}

On my system the offset is 76. That's the 64 bytes of the buffer (remember, the stack grows down, so the start of the buffer is far from the return address) plus whatever other detritus is in between.

Obviously if you are attacking an existing program you can't expect it to compute the answer for you, but I think this illustrates the principle.

(Also, we are lucky that +9 does not carry out into another byte. Otherwise the single byte increment would not set the return address how we expected. This example may break if you get unlucky with the return address within main)

I overlooked the 64-bitness of the original question somehow. The equivalent for x86-64 is 8(%rbp) because pointers are 8 bytes long. In that case my test build happens to produce an offset of 104. In the code above substitute 8(%%rbp) using the double %% to get a single % in the output assembly. This is described in this ABI document. Search for 8(%rbp).

There is a complaint in the comments that 4(%ebp) is just as magic as 76 or any other arbitrary number. In fact the meaning of the register %ebp (also called the "frame pointer") and its relationship to the location of the return address on the stack is standardized. One illustration I quickly Googled is here. That article uses the terminology "base pointer". If you wanted to exploit buffer overflows on other architectures it would require similarly detailed knowledge of the calling conventions of that CPU.

Ben Jackson
  • 90,079
  • 9
  • 98
  • 150
  • 1
    That's added another magic number into the mix :-) Explaining why it's `4(%%ebp)` rather than `42(%%ebp)` would be useful! – Roddy Jun 02 '11 at 21:17
  • @Ben. I was surprised that it's 4 as I thought a 64-bit OS would need 8...? – Roddy Jun 02 '11 at 21:40
  • x86_64 GCC omits the frame pointer by default (and just uses offsets from the stack pointer), so this will not work. – Nemo Jun 02 '11 at 22:14
  • Certainly not *by default* since I used GCC and it worked fine. But if you turn up the optimizations it will. My answer was attempting to lead the questioner toward greater understanding that would help him answer his own question. However he accepted another answer with a comment that he tried some random values until something worked. – Ben Jackson Jun 02 '11 at 23:23
  • @Ben Jackson: I just tried your solution (since it's obviously better than just trying random values until something works) and, I get an offset of 104. Apparently both 88 and 104 work as offsets. Have you got any explanation for this? – ryyst Jun 03 '11 at 11:14
  • 1
    @ryyst: When you construct an overflow attack against a function it is going to be specific to an exact compiled version. The value that work against *my* `function()` will likely be different than the one that works against the `function()` in your question. If you move `char *p` in mine above `char buffer` it will probably change again. Take a look at this explanation of *activation records*: http://en.wikipedia.org/wiki/Call_stack – Ben Jackson Jun 03 '11 at 16:34
  • @Ben Jackson: Oh yes, obviously! Thanks! – ryyst Jun 03 '11 at 16:43
4

Roddy is right that you need to operate on pointer-sized values.

I would start by reading values in your exploit function (and printing them) rather than writing them. As you crawl past the end of your array, you should start to see values from the stack. Before long you should find the return address and be able to line it up with your disassembler dump.

Nemo
  • 70,042
  • 10
  • 116
  • 153
1

Disassemble function() and see what it looks like.

Offset needs to be negative positive, maybe 64+8, as it's a 64-bit address. Also, you should do the '+7' on a pointer-sized object, not on a char. Otherwise if the two addresses cross a 256-byte boundary you will have exploited your exploit....

Roddy
  • 66,617
  • 42
  • 165
  • 277
  • No, not negative. Since the stack grows down, he'll start clobbering stack data once he goes over the high end of buffer. – Dave Rager Jun 02 '11 at 20:59
  • I do not think offset needs to be negative... On x86, the stack grows down. – Nemo Jun 02 '11 at 21:00
0

You might try running your code in a debugger, stepping each assembly line at a time, and examining the stack's memory space as well as registers.

mah
  • 39,056
  • 9
  • 76
  • 93
0

I always like to operate on nice data types, like this one:

struct stackframe {
    char *sf_bp;
    char *sf_return_address;
};

void function() {
    /* the following code is dirty. */
    char *dummy;
    dummy = (char *)&dummy;
    struct stackframe *stackframe = dummy + 24; /* try multiples of 4 here. */

    /* here starts the beautiful code. */    
    stackframe->sf_return_address += 7;
}

Using this code, you can easily check with the debugger whether the value in stackframe->sf_return_address matches your expectations.

Roland Illig
  • 40,703
  • 10
  • 88
  • 121