Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C (http://www.go4expert.com/articles/c-tutorials/)
-   -   Stack Overflow - EIP Overwrite Basics (http://www.go4expert.com/articles/stack-overflow-eip-overwrite-basics-t24917/)

lionaneesh 9Feb2011 21:30

Stack Overflow - EIP Overwrite Basics
 
EIP ( Extended Instruction Pointer ) is a register that points to the next instruction...It simply points to the address in which that instruction is placed...So if we overwrite this we can change the direction flow of the program and make it do what we want....

In other words if we overwrite this we are the main controller of the program..

I suggest you to also have a glance at Stack Overflows.

Eg :-

We have a program exit

Its objdum would certainly will be :-

Code:

08048060 <_start>:

 8048060:        31 c0                        xor    %eax,%eax

 8048062:        b0 01                        mov    $0x1,%al

 8048064:        31 db                        xor    %ebx,%ebx

 8048066:        b3 07                        mov    $0x7,%bl

 8048068:        cd 80                        int    $0x80

So when the program starts the EIP will be pointing to the start lable..That is 08048060..
As we move down the line...The EIP Simple points to the next instruction..
I hope this makes it clear...

A basic function stack will be

Code:

|Arguments to the function      |
|More data                        |
|EBP                                |
|EIP                                |


So as to overwrite EIP we have to overwrite all the data present on the stack before it...

Now that we know about EIP lets exploit...

Exploiting



In this article we'll be using another buggy program.. Using a simple depriciated strcpy() function..

buggyProgram.c
Code:

#include<stdio.h>

#include<string.h> // Just for the sake of strcpy()



int main(int argc,char **argv)

{

        char userInput[10];



        if(argc != 2)

        {

                printf("Usage : %s userInput\n",argv[0]);

                return(0);

        }

        strcpy(userInput,argv[1]); // buggy function...

}

Compiling :-
(Again we'll be using no-stack-protector flag so that the kernel does'nt stop us... and we are using -ggdb so as to get a closer look of the program with GDB)

Code:

gcc buggyProgram.c  -o buggyProgram -fno-stack-protector
 -ggdb

Now lets just test the program that's everything is going as smooth as it should...

Code:

aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram 123
Ok , So program is Ok!!

Now lets feed in some malicious string and see what happens...

Code:

aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Segmentation fault

Woah!! We got a segmentation fault...Lets get a closer look of program with GDB

Code:

aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram

GNU gdb (GDB) 7.1-ubuntu

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.
aneesh@aneesh-laptop:~/articles/C$ gdb ./buggyProgram

GNU gdb (GDB) 7.1-ubuntu

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/aneesh/articles/C/buggyProgram...done.

(gdb)
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/aneesh/articles/C/buggyProgram...done.

(gdb)

Now lets place a breakpoint at the beginning if the program and run the program..

Code:

(gdb) break main

Breakpoint 1 at 0x804841d: file buggyProgram.c, line 8.

(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Starting program: /home/aneesh/articles/C/buggyProgram AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



Breakpoint 1, main (argc=2, argv=0xbffff484) at buggyProgram.c:8

8                if(argc != 2)

(gdb)

Lets just step down the code and have a look at the registers...

Code:

(gdb) s

13                strcpy(userInput,argv[1]); // buggy function...

(gdb) s

14        }
(gdb) s



Program received signal SIGSEGV, Segmentation fault.

0x0804845d in main (argc=Cannot access memory at address 0x41414149

) at buggyProgram.c:14

14        }

(gdb) i r

eax            0xbffff3c6        -1073744954

ecx            0x0        0

edx            0x61        97

ebx            0x283ff4        2637812

esp            0xbffff3dc        0xbffff3dc

ebp            0x41414141        0x41414141

esi            0x0        0

edi            0x0        0

eip            0x804845d        0x804845d <main+73>

eflags        0x10246        [ PF ZF IF RF ]

cs            0x73        115

ss            0x7b        123

ds            0x7b        123

es            0x7b        123

fs            0x0        0

gs            0x33        51

(gdb)

As we can see we overwritten the EIP and thats why we were getting a segmentation fault...
This is because the EIP was over written with 3 A's and thus , we could'nt continue the execution flow of the program as 0x41414149 is a address the program not has access to...

I hope you understand how the program got the secmentation fault and why...

In my next article i'll be showng how this EIP overwrite can give us the remote of program execution...

Thats all for this article .. stay tuned for more...

lionaneesh 11Feb2011 09:34

Re: Stack Overflow - EIP Overwrite Basics
 
Thanks for accepting my article...

And Guyz .... Stay tuned...
I have already posted my next article and it will be coming up in 1-2 days...

alvisnally 19May2011 02:34

Re: Stack Overflow - EIP Overwrite Basics
 
Operator overloading is often a not-understand affection that accredit both array-like behaviour, pointer like operations and build-in-like operations. C++ programmers prefer to avoid pointers because of the bugs that can be introduced.


All times are GMT +5.5. The time now is 21:54.