Buffer overflow is still feseable?

StackOverflow https://stackoverflow.com/questions/18491704

Question

in these days I'm studying the buffer overflow technique and I'm trying to make a simple example on my own in order to better understand how to exploit such a vulnerability.

I've wrote this simple c program :

//bof.c    
#include <stdio.h>
#include <string.h>

void
BOF() {
   printf("BOF");
}

void
foo1(char* argv){
  char buff[10];
  strcpy(buff, argv);  
  printf("foo1");
}

int
main(int argc, char* argv[])
{

  if ( argc < 1 ) {
    return 0;
  }
  foo1(argv[1]);
  return 0;
}

My goal here is to leverage the BOF vulnerability, in order to jump to the uncalled function BOF(), printing thus the message. In order to do so I have:

  • compiled the program: gcc -ggdb -m64 -o bof.o -fno-stack-protector -mpreferred-stack-boundary=4 bof.c
  • discovered the BOF() address: objdump -d bof.o | grep BOF (which gives me 0000000000400544)
  • executed the program within gdb in order to see what happen in the registers

Inside gdb I do: r perl -e 'print "\x44\x05\x40\x00\x00\x00\x00\x00" x1500', but nothing happens. The program ends normally. So I put a breakpoint immediately after the strcpy function in order to look at the register, and what I receive is:

rax            0x7ffffffeca20   140737488276000
rbx            0x0  0
rcx            0x7ffff7ab1f00   140737348574976
rdx            0x400544 4195652
rsi            0x7fffffffb8cd   140737488337101
rdi            0x7ffffffeca20   140737488276000
rbp            0x7ffffffeca30   0x7ffffffeca30
rsp            0x7ffffffeca10   0x7ffffffeca10
r8             0x400660 4195936
r9             0x7ffff7de9740   140737351948096
r10            0x7ffffffec7a0   140737488275360
r11            0x7ffff7b8fec0   140737349484224
r12            0x400460 4195424
r13            0x7ffffffecb30   140737488276272
r14            0x0  0
r15            0x0  0
rip            0x40057b 0x40057b <foo1+31>
eflags         0x206    [ PF IF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0

Why the registers are not being overwritten? I tried to change the 1500 parameter in a more big value, but nothing changed. I also tried with little values (like 50 or less), but I got the same result.

I also tried to write in the stack something different than an address, just to see whether the register were being overwritten or not. For example with perl -e 'print "A" x1500', I was able only to modify the rbp register and not the rip. But I found by reading a thread on this site, that on gdb this may happen, and to try with a valid address. So I did.

What I'm doing wrong? Is it possible that BOF is not more feasible in nowadays kernels?

Before I forget: I also removed the gdb limit elements in order to remove the elements limit, with: set print elements 0

Finally, like have you maybe figured out looking at the registers, I have a 64 bit machine with ubuntu 12.04 (kernel version 3.5.0-39-generic).

Thanks in advance.

Was it helpful?

Solution

There are security in the kernet that avoid basic buffer overflow.

You can try damn vulnerable linux to pratice buffer overflow

Or you can disable these protections on your pc look at that

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top