-1

Here is an array that I was given:

  char overflow[16]="\xEF\xBE\xAD\xDE\xEF\xBE\xAD\xDE"
                    "\xEF\xBE\xAD\xDE\xEF\xBE\xAD\xDE";

and here is the address: "0x1234B000"

how do I edit the array above to overflow and change the return address to the new address above??

Nick S
  • 1,041
  • 1
  • 7
  • 21
vortix
  • 9
  • 1
  • What is the return address? Modify something like: `*(char *)(0x1234B000 + offset) = new_value`. – Fiddling Bits Oct 15 '18 at 21:14
  • sorry but i don't understand what you mean. 0x1234B000 is the location at the start of another array. whatever the return address is, i need to over write it with 0x1234B000 so that the return would run an exploit that is already loaded at the start of a different array. – vortix Oct 15 '18 at 21:49
  • We can't possibly know the contents of `overflow` because you haven't given us enough information. – Fiddling Bits Oct 15 '18 at 22:38
  • @FiddlingBits i wasn't given the anything else but why does it matter in this case? overflow size is 16. im just looking for a way to go above it in the stack and overwrite the return address stored above it with a different address. – vortix Oct 15 '18 at 23:13

1 Answers1

0

It really depends on whats on the stack, which determines how many bytes you have to overwrite at a minimum. function params and local variables will be in the way of the stack pointer, which is what your trying to overwrite correct? I would say overflow it with 1k of the same repreating byte pattern and step with gdb or some other debugger to get a stack trace.

ex1. (you need to write past the array, sizeof(int) bytes to get to the stack pointer.)

void testFunction(int arg0){
  char overflow[16] = {0};
  char HUGE_ARRAY[10000] = {0};// what does the stack look like in this case?  This giant block of memory should be on the stack AFTER your target array
  //do something that allows the user to overflow the overflow array for w/e reason
}

ex2. (you need to write past the array, sizeof(int) bytes + 10000 bytes to get to the stack pointer.)

void testFunction(int arg0){
  char HUGE_ARRAY[10000] = {0};// what does the stack look like in this case?  This giant block of memory should be on the stack BEFORE your target array.
  char overflow[16] = {0};
  //do something that allows the user to overflow the overflow array for w/e reason
}

If you know the target environment (sizeof int is known for example), the number and type of function params, and the number and type of local variables poped on the stack when you enter the function whos stack pointer your trying to overwrite, then you can theoretically write the exact bytes of the function's stack pointer.

Alternatively, you can figure this out by write 0x00 values past the overflow buffer and increasing the distance PAST the 16 bytes every time, until you seg fault. Once you seg fault you have found the function's stack pointer.

In general, the stack grows by popping on the following things in the following order: return address-> function params-> locals.

In your case, you can probably test it by writing more bytes than you need. (will work as long as <4k was allocated to this functions stack prior to overflow being popped on the stack)

for (offset = 0; offset < 1000; offset++){
  (int)(*overflow + 4 + offset) = 0x1234B000;
}

GL.

Bwebb
  • 656
  • 4
  • 14
  • its on main and there is a buffer [1024] , char nop=0x90 , int i , int n and int offset . – vortix Oct 16 '18 at 02:01
  • im a bit confused on how to change the address we are overflowing to the address we want. if the return address is overflow[19], overflow[19] ="0x1234B000" doesn't work. i cant seem to find a way to do that. – vortix Oct 16 '18 at 02:11
  • https://stackoverflow.com/questions/35932142/first-experiments-with-buffer-overflow?rq=1Can you try this on a different function, or are you not allowed to change the source? https://stackoverflow.com/questions/204476/what-should-main-return-in-c-and-c – Bwebb Oct 16 '18 at 03:53
  • Im sure you have looked around but maybe this will be helpful: https://stackoverflow.com/questions/36302917/exploit-a-buffer-overflow?rq=1 – Bwebb Oct 16 '18 at 04:30