Stack Overflow - EIP Overwrite Basics

lionaneesh's Avatar author of Stack Overflow - EIP Overwrite Basics
This is an article on Stack Overflow - EIP Overwrite Basics in C.
EIP ( Extended Instruction Pointer ) is a register that points to the next instruction...It simply points to the address in which that instruction is placed...So if we overwrite this we can change the direction flow of the program and make it do what we want....

In other words if we overwrite this we are the main controller of the program..

I suggest you to also have a glance at Stack Overflows.

Eg :-

We have a program exit

Its objdum would certainly will be :-

Code:
08048060 <_start>:

 8048060:	31 c0                	xor    %eax,%eax

 8048062:	b0 01                	mov    $0x1,%al

 8048064:	31 db                	xor    %ebx,%ebx

 8048066:	b3 07                	mov    $0x7,%bl

 8048068:	cd 80                	int    $0x80
So when the program starts the EIP will be pointing to the start lable..That is 08048060..
As we move down the line...The EIP Simple points to the next instruction..
I hope this makes it clear...

A basic function stack will be

Code:
|Arguments to the function      |
|More data		        |
|EBP			        |
|EIP			        |

So as to overwrite EIP we have to overwrite all the data present on the stack before it...

Now that we know about EIP lets exploit...

Exploiting



In this article we'll be using another buggy program.. Using a simple depriciated strcpy() function..

buggyProgram.c
Code:
#include<stdio.h>

#include<string.h> // Just for the sake of strcpy()



int main(int argc,char **argv)

{

	char userInput[10];



	if(argc != 2)

	{

		printf("Usage : %s userInput\n",argv[0]);

		return(0);

	}

	strcpy(userInput,argv[1]); // buggy function...

}
Compiling :-
(Again we'll be using no-stack-protector flag so that the kernel does'nt stop us... and we are using -ggdb so as to get a closer look of the program with GDB)

Code:
gcc buggyProgram.c  -o buggyProgram -fno-stack-protector
 -ggdb
Now lets just test the program that's everything is going as smooth as it should...

Code:
aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram 123
Ok , So program is Ok!!

Now lets feed in some malicious string and see what happens...

Code:
aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Segmentation fault
Woah!! We got a segmentation fault...Lets get a closer look of program with GDB

Code:
aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram 

GNU gdb (GDB) 7.1-ubuntu

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.
aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram 

GNU gdb (GDB) 7.1-ubuntu

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/aneesh/articles/C/buggyProgram...done.

(gdb) 
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/aneesh/articles/C/buggyProgram...done.

(gdb)
Now lets place a breakpoint at the beginning if the program and run the program..

Code:
(gdb) break main

Breakpoint 1 at 0x804841d: file buggyProgram.c, line 8.

(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Starting program: /home/aneesh/articles/C/buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



Breakpoint 1, main (argc=2, argv=0xbffff484) at buggyProgram.c:8

8		if(argc != 2)

(gdb)
Lets just step down the code and have a look at the registers...

Code:
(gdb) s

13		strcpy(userInput,argv[1]); // buggy function...

(gdb) s

14	}
(gdb) s



Program received signal SIGSEGV, Segmentation fault.

0x0804845d in main (argc=Cannot access memory at address 0x41414149

) at buggyProgram.c:14

14	}

(gdb) i r

eax            0xbffff3c6	-1073744954

ecx            0x0	0

edx            0x61	97

ebx            0x283ff4	2637812

esp            0xbffff3dc	0xbffff3dc

ebp            0x41414141	0x41414141

esi            0x0	0

edi            0x0	0

eip            0x804845d	0x804845d <main+73>

eflags         0x10246	[ PF ZF IF RF ]

cs             0x73	115

ss             0x7b	123

ds             0x7b	123

es             0x7b	123

fs             0x0	0

gs             0x33	51

(gdb)
As we can see we overwritten the EIP and thats why we were getting a segmentation fault...
This is because the EIP was over written with 3 A's and thus , we could'nt continue the execution flow of the program as 0x41414149 is a address the program not has access to...

I hope you understand how the program got the secmentation fault and why...

In my next article i'll be showng how this EIP overwrite can give us the remote of program execution...

Thats all for this article .. stay tuned for more...
lionaneesh's Avatar, Join Date: Mar 2010
Invasive contributor
Thanks for accepting my article...

And Guyz .... Stay tuned...
I have already posted my next article and it will be coming up in 1-2 days...
alvisnally's Avatar, Join Date: May 2011
Newbie Member
Operator overloading is often a not-understand affection that accredit both array-like behaviour, pointer like operations and build-in-like operations. C++ programmers prefer to avoid pointers because of the bugs that can be introduced.