Databases
StackOverflow2013
Postsdbo
POStack Overflow Exploit in C
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POStack Overflow Exploit in C
    primarykey
    data
    text
    <p>The question is actually about stack overflows in C. I have an assigment that I can not get done for the life of me, I've looked at everything in the gdb and I just cant figure it.</p> <p>The question is the following:</p> <pre><code>int i,n; void confused() { printf("who called me"); exit(0); } void shell_call(char *c) { printf(" ***Now calling \"%s\" shell command *** \n",c); system(c); exit(0); } void victim_func() { int a[4]; printf("[8]:%x\n", &amp;a[8]); printf("Enter n: "); scanf("%d",&amp;n); printf("Enter %d HEX Values \n",n); for(i=0;i&lt;n;i++) scanf("%x",&amp;a[i]); printf("Done reading junk numbers\n"); } int main() { printf("ls=736c --- ps = 7370 --- cal = 6c6163\n"); printf("location of confused %x \n", confused); printf("location of shell_call %x \n", shell_call); victim_func(); printf("Done, thank you\n"); } </code></pre> <p>Ok, so I managed to get the first question correctly, which is to arbitrarily call one of the two functions not explicitly called in the main path. By the way, this has to be done while running the program without any modifications. I did this by running the program, setting <code>N</code> to <code>7</code>, which gets me to the Function Pointer of the <code>victim_func</code> frame, I write <code>a[7]</code> with the memory address of confused or <code>shell_call</code>, and it works. (I have a 64 bit machine, thats why I have to get it to 7, since the EBI pointer is 2 ints wide, instead of 1)</p> <p>My question is the following, how could I control which argument gets passed to the <code>shell_code</code> funcion? ie. how do I write a <code>string</code> to <code>char* c</code>. The whole point is executing unix commands like <strong>ps</strong> etc, by running only the program.</p> <p>I figured writing the EBI pointer with the hex representation of <strong>ps</strong> and setting the arg list of <code>shell_call</code> to that, but that didn't work. I also tried inputing <code>argsv</code> arguments and setting the arg list of <code>shell_call</code> to the <code>arg_list</code> of main, but didn't work either. </p> <p>I think the second version should work, but I believe I'm not setting the arg list of the new stack frame correctly ( I did it by writing <code>a[8]</code> to <code>0</code>, since its the first part of the function pointer, and writing <code>a[9]=736c</code> and <code>a[10]=0000</code>, but its probably not right since those are the parameters of <code>victim_func</code>. So how do I access the parameters of <code>shell_call</code>? </p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. UShjavaher
    1. This table or related slice is empty.
    plurals
    1. This table or related slice is empty.
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    3. PL
      singulars
      1. LTDuplicate
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POStack Overflow Exploit in C
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POStack Overflow Exploit in C
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POStack Overflow Exploit in C
      1. This table or related slice is empty.
      1. VTUpMod
    1. COnote that this is a _buffer_ overflow, not a _stack_ overflow.
      singulars
      1. POStack Overflow Exploit in C
      1. USGreg Rogers
    2. CO@Greg Rogers actually yes, this is a stack overflow. In fact the heap isn't used in this application.
      singulars
      1. POStack Overflow Exploit in C
      1. USrook
    3. CO@Rook: The buffer is on the stack. But the buffer overflow is the vulnerability. A stack overflow isn't exploitable -- otherwise every XML parser on earth would be vulnerable ;)
      singulars
      1. POStack Overflow Exploit in C
      1. USBilly ONeal
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload