1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stack Overflow - EIP Overwrite Basics

Discussion in 'C' started by lionaneesh, Feb 9, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    EIP ( Extended Instruction Pointer ) is a register that points to the next instruction...It simply points to the address in which that instruction is placed...So if we overwrite this we can change the direction flow of the program and make it do what we want....

    In other words if we overwrite this we are the main controller of the program..

    I suggest you to also have a glance at Stack Overflows.

    Eg :-

    We have a program exit

    Its objdum would certainly will be :-

    Code:
    08048060 <_start>:
    
     8048060:	31 c0                	xor    %eax,%eax
    
     8048062:	b0 01                	mov    $0x1,%al
    
     8048064:	31 db                	xor    %ebx,%ebx
    
     8048066:	b3 07                	mov    $0x7,%bl
    
     8048068:	cd 80                	int    $0x80
    
    
    So when the program starts the EIP will be pointing to the start lable..That is 08048060..
    As we move down the line...The EIP Simple points to the next instruction..
    I hope this makes it clear...

    A basic function stack will be

    Code:
    |Arguments to the function      |
    |More data		        |
    |EBP			        |
    |EIP			        |
    

    So as to overwrite EIP we have to overwrite all the data present on the stack before it...

    Now that we know about EIP lets exploit...

    Exploiting



    In this article we'll be using another buggy program.. Using a simple depriciated strcpy() function..

    buggyProgram.c
    Code:
    #include<stdio.h>
    
    #include<string.h> // Just for the sake of strcpy()
    
    
    
    int main(int argc,char **argv)
    
    {
    
    	char userInput[10];
    
    
    
    	if(argc != 2)
    
    	{
    
    		printf("Usage : %s userInput\n",argv[0]);
    
    		return(0);
    
    	}
    
    	strcpy(userInput,argv[1]); // buggy function...
    
    }
    
    
    Compiling :-
    (Again we'll be using no-stack-protector flag so that the kernel does'nt stop us... and we are using -ggdb so as to get a closer look of the program with GDB)

    Code:
    gcc buggyProgram.c  -o buggyProgram -fno-stack-protector
     -ggdb
    
    Now lets just test the program that's everything is going as smooth as it should...

    Code:
    aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram 123
    
    
    Ok , So program is Ok!!

    Now lets feed in some malicious string and see what happens...

    Code:
    aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    
    Segmentation fault
    
    
    Woah!! We got a segmentation fault...Lets get a closer look of program with GDB

    Code:
    aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram 
    
    GNU gdb (GDB) 7.1-ubuntu
    
    Copyright (C) 2010 Free Software Foundation, Inc.
    
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software: you are free to change and redistribute it.
    aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram 
    
    GNU gdb (GDB) 7.1-ubuntu
    
    Copyright (C) 2010 Free Software Foundation, Inc.
    
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software: you are free to change and redistribute it.
    
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    
    and "show warranty" for details.
    
    This GDB was configured as "i486-linux-gnu".
    
    For bug reporting instructions, please see:
    
    <http://www.gnu.org/software/gdb/bugs/>...
    
    Reading symbols from /home/aneesh/articles/C/buggyProgram...done.
    
    (gdb) 
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    
    and "show warranty" for details.
    
    This GDB was configured as "i486-linux-gnu".
    
    For bug reporting instructions, please see:
    
    <http://www.gnu.org/software/gdb/bugs/>...
    
    Reading symbols from /home/aneesh/articles/C/buggyProgram...done.
    
    (gdb) 
    
    Now lets place a breakpoint at the beginning if the program and run the program..

    Code:
    (gdb) break main
    
    Breakpoint 1 at 0x804841d: file buggyProgram.c, line 8.
    
    (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    
    Starting program: /home/aneesh/articles/C/buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    
    
    
    Breakpoint 1, main (argc=2, argv=0xbffff484) at buggyProgram.c:8
    
    8		if(argc != 2)
    
    (gdb) 
    
    
    Lets just step down the code and have a look at the registers...

    Code:
    (gdb) s
    
    13		strcpy(userInput,argv[1]); // buggy function...
    
    (gdb) s
    
    14	}
    (gdb) s
    
    
    
    Program received signal SIGSEGV, Segmentation fault.
    
    0x0804845d in main (argc=Cannot access memory at address 0x41414149
    
    ) at buggyProgram.c:14
    
    14	}
    
    (gdb) i r
    
    eax            0xbffff3c6	-1073744954
    
    ecx            0x0	0
    
    edx            0x61	97
    
    ebx            0x283ff4	2637812
    
    esp            0xbffff3dc	0xbffff3dc
    
    ebp            0x41414141	0x41414141
    
    esi            0x0	0
    
    edi            0x0	0
    
    eip            0x804845d	0x804845d <main+73>
    
    eflags         0x10246	[ PF ZF IF RF ]
    
    cs             0x73	115
    
    ss             0x7b	123
    
    ds             0x7b	123
    
    es             0x7b	123
    
    fs             0x0	0
    
    gs             0x33	51
    
    (gdb)
    
    
    As we can see we overwritten the EIP and thats why we were getting a segmentation fault...
    This is because the EIP was over written with 3 A's and thus , we could'nt continue the execution flow of the program as 0x41414149 is a address the program not has access to...

    I hope you understand how the program got the secmentation fault and why...

    In my next article i'll be showng how this EIP overwrite can give us the remote of program execution...

    Thats all for this article .. stay tuned for more...
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Thanks for accepting my article...

    And Guyz .... Stay tuned...
    I have already posted my next article and it will be coming up in 1-2 days...
     
  3. alvisnally

    alvisnally New Member

    Joined:
    May 18, 2011
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    Operator overloading is often a not-understand affection that accredit both array-like behaviour, pointer like operations and build-in-like operations. C++ programmers prefer to avoid pointers because of the bugs that can be introduced.
     

Share This Page