Why Stack Overflows Can Be Dangerous?

Discussion in 'C' started by lionaneesh, Jan 30, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Stack is a Last in First out(LIFO) abstract data structure...Stack is used as the main data structure for processing and data management on most of the OS architectures...like intel x86 etc etc..

    Stack based Overflows



    It happens when to much data is passed on the call stack and results in overwriting data...

    The call stack is limited amount of memory , of ten determined at the start of the program..

    When program tries to access more space that is available to the call stack it basically results in a overflow...

    Why it is dangerous

    It is dangerous because the call stack contains all our data (decrations) included the one used for user Input..

    eg :-

    if we declared
    Code:
    char pass[] = “I am the password!!!”;
    int i = 0;
    char userInput[10];
    
    Then the stack would look like :-
    Code:
    =======
    |userInput|
    ________
    |int i = 0|
    ======
    |char pass|
    
    Now if we overflowed the userInput then we will successful overflow the int I with our desired value..It will be clear when we see the exploit example..

    Exploiting



    Exploit :-

    buggyProgram.c

    Code:
    #include<stdio.h>
    int main()
    {
    	int i=0;
    	char userInput[10];
    	printf("Please enter some data : ");
    	gets(userInput); // depriciated function now you will get to know why we should not use this...
    	if(i==0x31313131)
    	{
    		printf("You !!!! Just exploited me.. Aah! :( :'(\n");
    	}
    }
    
    Compiling :-

    We would be using gcc with the flag of no stack protector so that kernel does not stop us..

    Code:
    aneesh@aneesh-laptop:~/articles/C$ gcc buggyProgram.c -fno-stack-protector -o buggyProgram
    
    /tmp/ccORWe40.o: In function `main':
    
    buggyProgram.c:(.text+0x26): warning: the `gets' function is dangerous and should not be used.
    
    aneesh@aneesh-laptop:~/articles/C$ 
    
    Lets exploit it now....

    Lets create a attact string first :-

    As we know the userInput is just 10 bytes long. Thus, in order to exploit this we would need to pass 10 bytes to this... and further with 4 1's to overwrite the int I variable...

    Attack string :-

    Code:
    [10 bytes garbage] +  [4 * 1]
       |                     |
    for filling       for overwriting     
    up userInput	  the int variable
    
    Now lets pass this to the program and see what happens..

    Code:
    aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram 
    
    Please enter some data : AAAAAAAAAA1111
    
    You !!!! Just exploited me.. Aah! :( :'(
    
    
    And BooM!! We did it!!!
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Hey thanks...For accepting...
    Yeah and check your email please...
     
  3. etrade123

    etrade123 Banned

    Joined:
    Mar 14, 2011
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    seo
    Location:
    Delhi, india
    Home Page:
    http://www.vigyapangrah.com
    Thank you to all those are join our company. its really good.
     
  4. pankajchandel

    pankajchandel New Member

    Joined:
    Apr 6, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Home Page:
    http://www.cprogramming.tk
    I am quite new in this forum lot of new things to learn although i am good at programming
     
  5. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Thanks Sir , And please read my other articles too!!
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice